Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pretty sure I don't have anything, but...


  • Please log in to reply
11 replies to this topic

#1 jazzman831

jazzman831

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 AM

Posted 29 March 2016 - 09:19 PM

Last night someone used my username and password to log in to my bank and send themselves almost $5,000. I noticed it almost immediately (I actually logged on before they made the transfer and while I was on the phone with my bank I saw the new transaction). The bank has now finished their investigation and the only thing they figured out is that the guy used my credentials to access the website. Because they don't know how the hacker got my password, they can't rule out a keylogger on my computer, and will not allow me to access my bank account until I tell them I've taken my computer to a professional cleaner to get it "fixed". (I should note, that last time my fiancee forgot her password, she called up the bank, answered a couple of questions and then the guy read the password to her over the phone).

 

I should also mention at this point that she defined a professional cleaning as "opening up the computer and getting the bugs out, because they aren't always in your hard drive some times they are in other things". She said open up the computer multiple times. I built the thing myself, I'm pretty sure there aren't any hidey-holes where "bugs" are "hiding".

 

Needless to say, I'm here because I don't want to pay the dude at Best Buy to run AVG on my computer, open it to check for "bugs" and then charge me $150 :P . The problem I'm having is that I'm not having any problems. No popups, no suspicious emails, no unauthorized activity on any of my other accounts, no sluggishness, no other evidence of a keylogger or other such monitoring device, NOTHING. I've run an Avast (free) full scan and a Malwarebytes (free trial) full scan and found nada. Is there anything else to do to tell my bank I've done my due diligence?


here =/= hear
their =/= there =/= they're
quiet =/= quite
Newegg commenters can't speel! :)

BC AdBot (Login to Remove)

 


#2 Jo*

Jo*

  • Malware Response Team
  • 3,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:17 AM

Posted 30 March 2016 - 08:32 AM

:welcome: to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / music / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


:step1: Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    Vista / Windows 7/8 users right-click and select Run As Administrator.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

***


:step2: Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
With some infections, you may see two messages boxes.
  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step3: Please download AdwCleaner by Xplode and save to your Desktop.
Double-click AdwCleaner.exe
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
    The actual line should say "Pending. Please uncheck elements you do not want to remove" => scan is complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it.
    If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

***


:step4: MiniToolbox by Farbar

Disable your antivirus if it does not allow you to download the tool!
Please download MiniToolBox, save it to your desktop and run it.
Place a checkmark in Select all, then click Go and post the result (MTB.txt). A copy of Result.txt will be saved in the same directory the tool is run.
Copy and paste the contents of that logfile in your next reply.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#3 jazzman831

jazzman831
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 AM

Posted 30 March 2016 - 04:55 PM

Hi Jo, thanks so much for helping out!

Note: before you posted I also ran an F-Security scan and a Kaspkersky virus scan (not the full suite, just the free quick scan) and neither found anything. Now onto your instructions:
 
Step 1:
 
 Results of screen317's Security Check version 1.014 --- 12/23/15  
   x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Kaspersky Internet Security   
Windows Defender              
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 Java 8 Update 77  
 Java version 32-bit out of Date!
 Adobe Flash Player     21.0.0.197  
 Mozilla Firefox (45.0.1)
````````Process Check: objlist.exe by Laurent````````  
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbam.exe  
 Malwarebytes Anti-Malware mbamscheduler.exe   
 Kaspersky Lab Kaspersky Internet Security 16.0.0 avp.exe  
 Kaspersky Lab Kaspersky Internet Security 16.0.0 avpui.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````
 
Step 2: No malware found

Step 3:

# AdwCleaner v5.108 - Logfile created 30/03/2016 at 17:45:04
# Updated 30/03/2016 by Xplode
# Database : 2016-03-30.1 [Server]
# Operating system : Windows 10 Home (x64)
# Username : Bryan Temp - FRANKENSTEIN
# Running from : D:\Downloads\AdwCleaner.exe
# Option : Scan
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

Folder Found : C:\Program Files (x86)\eSupport.com
Folder Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eSupport.com
Folder Found : C:\Users\Bryan Temp\AppData\Local\eSupport.com

***** [ Files ] *****


***** [ DLL ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\eSupport.com
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DriverAgent_is1
Key Found : HKU\S-1-5-21-466139569-2840190195-562546004-1001\Software\eSupport.com
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.com%2F23-ridiculously-easy-recipes-people-cant-cook%2F&h=CAQGFDp3a&s=1&enc=AZOBwjusKv8zuy7lt1cy07aBywut9oSXwCt4WWtbGWON6O7ufaUAIjHvAIVAQ414y632q0JuJfR82GgehRtd87sM
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gov%2Fdetail%2Fcoconino%2Fnews-events%2F%3Fcid%3DSTELPRD3827709&h=NAQHJIzma&s=1&enc=AZMH7tBXheARz28420JUTzrEIKmBBLwrS6KGQ7LzkmXxDN9n8WXTwtbNaysiV9s_-_zaILz6HtHp7Be2fOJgqH4z

***** [ Web browsers ] *****


*************************

C:\AdwCleaner\AdwCleaner[S1].txt - [1493 bytes] - [30/03/2016 17:45:04]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1566 bytes] ##########


Step 4:

MiniToolBox by Farbar Version: 07-02-2016 01
Ran by Bryan Temp (administrator) on 30-03-2016 at 17:50:25
Running from "D:\Downloads"
Microsoft Windows 10 Home (X64)
Model: To be filled by O.E.M. Manufacturer: Gigabyte Technology Co., Ltd.
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================
========================= IP Configuration: ================================

Realtek PCIe GBE Family Controller = Ethernet (Connected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
set interface interface="Ethernet" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 1" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : Frankenstein
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : FC-AA-14-0A-DB-0D
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::d93e:6bce:9708:f532%4(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, March 30, 2016 7:14:42 AM
Lease Expires . . . . . . . . . . : Thursday, March 31, 2016 7:14:41 AM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 66890260
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-16-B8-B5-FC-AA-14-0A-DB-0D
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6abd:2095:3c51:3f57:fefd(Preferred)
Link-local IPv6 Address . . . . . : fe80::2095:3c51:3f57:fefd%3(Preferred)
Default Gateway . . . . . . . . . : ::
DHCPv6 IAID . . . . . . . . . . . : 117440512
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-16-B8-B5-FC-AA-14-0A-DB-0D
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{F3C9A36E-B933-4186-B9D4-7EF3DB97C676}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: UnKnown
Address: 192.168.1.1

Name: google.com
Addresses: 2607:f8b0:4009:809::200e
216.58.216.238


Pinging google.com [216.58.216.238] with 32 bytes of data:
Reply from 216.58.216.238: bytes=32 time=48ms TTL=52
Reply from 216.58.216.238: bytes=32 time=45ms TTL=52

Ping statistics for 216.58.216.238:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 45ms, Maximum = 48ms, Average = 46ms
Server: UnKnown
Address: 192.168.1.1

Name: yahoo.com
Addresses: 2001:4998:c:a06::2:4008
2001:4998:44:204::a7
2001:4998:58:c02::a9
98.139.183.24
98.138.253.109
206.190.36.45


Pinging yahoo.com [206.190.36.45] with 32 bytes of data:
Reply from 206.190.36.45: bytes=32 time=90ms TTL=41
Reply from 206.190.36.45: bytes=32 time=88ms TTL=41

Ping statistics for 206.190.36.45:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 88ms, Maximum = 90ms, Average = 89ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
4...fc aa 14 0a db 0d ......Realtek PCIe GBE Family Controller
1...........................Software Loopback Interface 1
3...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
5...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.2 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
169.254.0.0 255.255.0.0 On-link 192.168.1.2 30
169.254.255.255 255.255.255.255 On-link 192.168.1.2 276
192.168.1.0 255.255.255.0 On-link 192.168.1.2 276
192.168.1.2 255.255.255.255 On-link 192.168.1.2 276
192.168.1.255 255.255.255.255 On-link 192.168.1.2 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.2 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.2 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
3 306 ::/0 On-link
1 306 ::1/128 On-link
3 306 2001::/32 On-link
3 306 2001:0:9d38:6abd:2095:3c51:3f57:fefd/128
On-link
4 276 fe80::/64 On-link
3 306 fe80::/64 On-link
3 306 fe80::2095:3c51:3f57:fefd/128
On-link
4 276 fe80::d93e:6bce:9708:f532/128
On-link
1 306 ff00::/8 On-link
4 276 ff00::/8 On-link
3 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\WINDOWS\SysWOW64\napinsp.dll [55808] (Microsoft Corporation)
Catalog5 02 C:\WINDOWS\SysWOW64\pnrpnsp.dll [70656] (Microsoft Corporation)
Catalog5 03 C:\WINDOWS\SysWOW64\pnrpnsp.dll [70656] (Microsoft Corporation)
Catalog5 04 C:\WINDOWS\SysWOW64\NLAapi.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog5 06 C:\WINDOWS\SysWOW64\winrnr.dll [23552] (Microsoft Corporation)
Catalog5 07 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [94208] (Apple Computer, Inc.)
Catalog9 01 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 02 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 03 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 04 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 05 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 06 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 07 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 08 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 09 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 10 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 11 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\pnrpnsp.dll [87040] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [87040] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\NLAapi.dll [80896] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [31744] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (03/30/2016 05:12:02 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (03/30/2016 07:38:01 AM) (Source: Application Error) (User: )
Description: Faulting application name: SkypeHost.exe, version: 10.1.2123.10, time stamp: 0x569054dc
Faulting module name: SkyWrap.dll, version: 10.1.2123.10, time stamp: 0x569054c9
Exception code: 0xc0000005
Fault offset: 0x00ac6197
Faulting process id: 0x10f8
Faulting application start time: 0xSkypeHost.exe0
Faulting application path: SkypeHost.exe1
Faulting module path: SkypeHost.exe2
Report Id: SkypeHost.exe3
Faulting package full name: SkypeHost.exe4
Faulting package-relative application ID: SkypeHost.exe5

Error: (03/30/2016 06:26:31 AM) (Source: Application Error) (User: )
Description: Faulting application name: SkypeHost.exe, version: 10.1.2123.10, time stamp: 0x569054dc
Faulting module name: SkyWrap.dll, version: 10.1.2123.10, time stamp: 0x569054c9
Exception code: 0xc0000005
Fault offset: 0x00ac6197
Faulting process id: 0x14e8
Faulting application start time: 0xSkypeHost.exe0
Faulting application path: SkypeHost.exe1
Faulting module path: SkypeHost.exe2
Report Id: SkypeHost.exe3
Faulting package full name: SkypeHost.exe4
Faulting package-relative application ID: SkypeHost.exe5

Error: (03/30/2016 06:09:38 AM) (Source: Microsoft-Windows-Immersive-Shell) (User: FRANKENSTEIN)
Description: Activation of app Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI failed with error: -2147024865 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (03/30/2016 06:09:38 AM) (Source: Microsoft-Windows-Immersive-Shell) (User: FRANKENSTEIN)
Description: Activation of app Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (03/30/2016 06:09:37 AM) (Source: Microsoft-Windows-Immersive-Shell) (User: FRANKENSTEIN)
Description: Activation of app Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy!App failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (03/30/2016 06:09:37 AM) (Source: Microsoft-Windows-Immersive-Shell) (User: FRANKENSTEIN)
Description: Activation of app Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI failed with error: -2147024891 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (03/29/2016 11:00:15 PM) (Source: Microsoft-Windows-Immersive-Shell) (User: FRANKENSTEIN)
Description: Activation of app Microsoft.Messaging_8wekyb3d8bbwe!ppleae38af2e007f4358a809ac99a64a67c1 failed with error: -2147009280 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (03/23/2016 07:29:30 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (03/22/2016 04:42:21 AM) (Source: Microsoft-Windows-RestartManager) (User: FRANKENSTEIN)
Description: Application or service 'Microsoft Office Document Cache Sync Client Interface' could not be shut down.


System errors:
=============
Error: (03/30/2016 05:45:47 PM) (Source: DCOM) (User: FRANKENSTEIN)
Description: machine-defaultLocalActivation{C2F03A33-21F5-47FA-B4BB-156362A2F239}{316CDED5-E4AE-4B15-9113-7055D84DCC97}FRANKENSTEINBryan TempS-1-5-21-466139569-2840190195-562546004-1001LocalHost (Using LRPC)Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewyS-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742

Error: (03/30/2016 05:14:56 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: {784E29F4-5EBE-4279-9948-1E8FE941646D}

Error: (03/30/2016 07:40:17 AM) (Source: DCOM) (User: FRANKENSTEIN)
Description: {536AACFB-5238-4314-B4D4-5B0A2E8B968E}

Error: (03/30/2016 07:40:12 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: {784E29F4-5EBE-4279-9948-1E8FE941646D}

Error: (03/30/2016 07:38:12 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)UnavailableUnavailable

Error: (03/30/2016 07:19:50 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: {784E29F4-5EBE-4279-9948-1E8FE941646D}

Error: (03/30/2016 07:14:42 AM) (Source: EventLog) (User: )
Description: The previous system shutdown at 7:04:31 AM on ‎3/‎30/‎2016 was unexpected.

Error: (03/30/2016 07:07:52 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: {784E29F4-5EBE-4279-9948-1E8FE941646D}

Error: (03/30/2016 07:07:15 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Windows Defender - KB2267602 (Definition 1.217.175.0).

Error: (03/30/2016 07:04:21 AM) (Source: volmgr) (User: )
Description: Crash dump initialization failed!


Microsoft Office Sessions:
=========================
Error: (03/30/2016 05:12:02 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description:
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.

Error: (03/30/2016 07:38:01 AM) (Source: Application Error)(User: )
Description: SkypeHost.exe10.1.2123.10569054dcSkyWrap.dll10.1.2123.10569054c9c000000500ac619710f801d18a75a7a74e51C:\Program Files\WindowsApps\Microsoft.Messaging_2.13.20000.0_x86__8wekyb3d8bbwe\SkypeHost.exeC:\Program Files\WindowsApps\Microsoft.Messaging_2.13.20000.0_x86__8wekyb3d8bbwe\SkyWrap.dllba99bd25-b7e4-4e48-8dd3-3751a4a89d1dMicrosoft.Messaging_2.13.20000.0_x86__8wekyb3d8bbweppleae38af2e007f4358a809ac99a64a67c1

Error: (03/30/2016 06:26:31 AM) (Source: Application Error)(User: )
Description: SkypeHost.exe10.1.2123.10569054dcSkyWrap.dll10.1.2123.10569054c9c000000500ac619714e801d18a6c674818ceC:\Program Files\WindowsApps\Microsoft.Messaging_2.13.20000.0_x86__8wekyb3d8bbwe\SkypeHost.exeC:\Program Files\WindowsApps\Microsoft.Messaging_2.13.20000.0_x86__8wekyb3d8bbwe\SkyWrap.dll574f4d45-2052-4183-b0b4-8c884039b815Microsoft.Messaging_2.13.20000.0_x86__8wekyb3d8bbweppleae38af2e007f4358a809ac99a64a67c1

Error: (03/30/2016 06:09:38 AM) (Source: Microsoft-Windows-Immersive-Shell)(User: FRANKENSTEIN)
Description: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI-2147024865

Error: (03/30/2016 06:09:38 AM) (Source: Microsoft-Windows-Immersive-Shell)(User: FRANKENSTEIN)
Description: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI-2144927141

Error: (03/30/2016 06:09:37 AM) (Source: Microsoft-Windows-Immersive-Shell)(User: FRANKENSTEIN)
Description: Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy!App-2144927141

Error: (03/30/2016 06:09:37 AM) (Source: Microsoft-Windows-Immersive-Shell)(User: FRANKENSTEIN)
Description: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI-2147024891

Error: (03/29/2016 11:00:15 PM) (Source: Microsoft-Windows-Immersive-Shell)(User: FRANKENSTEIN)
Description: Microsoft.Messaging_8wekyb3d8bbwe!ppleae38af2e007f4358a809ac99a64a67c1-2147009280

Error: (03/23/2016 07:29:30 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description:
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.

Error: (03/22/2016 04:42:21 AM) (Source: Microsoft-Windows-RestartManager)(User: FRANKENSTEIN)
Description: 1C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXEMicrosoft Office Document Cache Sync Client Interface021176608243003A005C00500072006F006700720061006D0044006100740061005C004D006900630072006F0073006F00660074005C004F00660066006900630065005C0043006C00690063006B0054006F00520075006E005000610063006B006100670065004C006F0063006B0065007200000043003A005C00500072006F006700720061006D002000460069006C00650073005C004D006900630072006F0073006F006600740020004F00660066006900630065002000310035005C0072006F006F0074005C007600660073005C00500072006F006700720061006D00460069006C006500730043006F006D006D006F006E005800380036005C004D006900630072006F0073006F006600740020005300680061007200650064005C004F0046004600490043004500310035005C00630032007200330032002E0064006C006C000000


CodeIntegrity Errors:
===================================
Date: 2016-03-24 04:36:52.393
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

Date: 2016-03-14 03:36:53.368
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

Date: 2016-03-13 11:10:50.097
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

Date: 2016-03-11 12:40:27.819
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

Date: 2016-03-04 20:32:25.704
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

Date: 2016-03-02 20:44:54.940
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

Date: 2016-02-12 00:28:49.937
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

Date: 2016-02-10 19:37:05.716
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

Date: 2016-01-30 21:29:46.034
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

Date: 2016-01-14 06:27:34.244
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.


=========================== Installed Programs ============================

7-Zip 15.14 (x64) (HKLM\...\7-Zip) (Version: 15.14 - Igor Pavlov)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.010.20060 - Adobe Systems Incorporated)
Adobe Flash Player 21 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 21.0.0.197 - Adobe Systems Incorporated)
Adobe Photoshop CS (HKLM-x32\...\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}) (Version: CS - Adobe Systems, Inc.)
Adobe Premiere Pro CS3 (HKLM-x32\...\Adobe_32fdd767b4383606e8168e834af5d90) (Version: 3 - Adobe Systems Incorporated)
AMD OverDrive (HKLM-x32\...\{EEB605FD-C5F5-4946-90F3-D65C604A9187}) (Version: 4.3.1.0698 - Advanced Micro Devices, Inc.)
Anvil Studio 2015 (HKLM-x32\...\{60F26B2B-D61A-4962-8FAD-0F34819CB827}) (Version: 15.09.01 - Willow Software)
Apple Application Support (HKLM-x32\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Arduino (HKLM-x32\...\Arduino) (Version: 1.6.7 - Arduino LLC)
BB FlashBack Express 5 (HKLM-x32\...\BB FlashBack Express 5) (Version: 5.4.0.3442 - Blueberry)
D3DX10 (HKLM-x32\...\{E09C4DB7-630C-4F06-A631-8EA7239923AF}) (Version: 15.4.2368.0902 - Microsoft) Hidden
DMIView Ver.1.5 B12.0314.1 (HKLM-x32\...\{3EE1008C-11A1-4F4F-8DB7-27573924DE78}) (Version: 1.5 - GIGABYTE)
DriverAgent by eSupport.com (HKLM-x32\...\DriverAgent_is1) (Version: - Copyright © 2015 eSupport.com, Inc • All Rights Reserved)
DVD Flick 1.3.0.7 (HKLM-x32\...\DVD Flick_is1) (Version: 1.3.0.7 - Dennis Meuwissen)
EaseUS Partition Master 10.2 (HKLM-x32\...\EaseUS Partition Master_is1) (Version: - EaseUS)
EaseUS Todo Backup Free 8.8 (HKLM-x32\...\EaseUS Todo Backup_is1) (Version: 8.8 - CHENGDU YIWO Tech Development Co., Ltd)
Easy Tune 6 B13.1111.1 (HKLM-x32\...\{457D7505-D665-4F95-91C3-ECB8C56E9ACA}) (Version: 1.00.0000 - GIGABYTE) Hidden
Easy Tune 6 B13.1111.1 (HKLM-x32\...\InstallShield_{457D7505-D665-4F95-91C3-ECB8C56E9ACA}) (Version: 1.00.0000 - GIGABYTE)
ImgBurn (HKLM-x32\...\ImgBurn) (Version: 2.5.8.0 - LIGHTNING UK!)
Java 8 Update 77 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218077F0}) (Version: 8.0.770.3 - Oracle Corporation)
Kaspersky Internet Security (HKLM-x32\...\{77E7AE5C-181C-4CAF-ADBF-946F11C1CE26}) (Version: 16.0.0.614 - Kaspersky Lab) Hidden
Kaspersky Internet Security (HKLM-x32\...\InstallWIX_{77E7AE5C-181C-4CAF-ADBF-946F11C1CE26}) (Version: 16.0.0.614 - Kaspersky Lab)
Lexmark X1100 Series (HKLM\...\Lexmark X1100 Series) (Version: - Lexmark International, Inc.)
Macromedia Dreamweaver MX 2004 (HKLM-x32\...\{05BB2EC5-6BEF-4DDC-9E75-BEE7B161157A}) (Version: 7.0 - Macromedia)
Macromedia Extension Manager (HKLM-x32\...\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}) (Version: 1.5 - Macromedia)
Macromedia Fireworks MX 2004 (HKLM-x32\...\{E583ED6F-BD99-4066-A420-C815BF692B69}) (Version: 7 - Macromedia)
Macromedia Flash MX 2004 (HKLM-x32\...\{2F353D44-73BB-4971-B31D-F7642E9E9531}) (Version: 7 - Macromedia)
Macromedia FreeHand MXa (HKLM-x32\...\{939740B5-0064-4779-854A-8C1086181C05}) (Version: 11.0.1 - Macromedia)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft Office Professional Plus 2013 - en-us (HKLM\...\ProPlusRetail - en-us) (Version: 15.0.4805.1003 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.41212.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Movie Maker (HKLM-x32\...\{38F03569-A636-4CF3-BDDE-032C8C251304}) (Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Movie Maker (HKLM-x32\...\{DD67BE4B-7E62-4215-AFA3-F123A800A389}) (Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Mozilla Firefox 45.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 45.0.1 (x86 en-US)) (Version: 45.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 45.0.1.5918 - Mozilla)
OCCT 4.4.1 (HKLM-x32\...\OCCT) (Version: 4.4.1 - Ocbase.com)
Office 15 Click-to-Run Extensibility Component (HKLM-x32\...\{90150000-008C-0000-0000-0000000FF1CE}) (Version: 15.0.4805.1003 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (HKLM\...\{90150000-008F-0000-1000-0000000FF1CE}) (Version: 15.0.4805.1003 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (HKLM-x32\...\{90150000-008C-0409-0000-0000000FF1CE}) (Version: 15.0.4805.1003 - Microsoft Corporation) Hidden
ON_OFF Charge 2 B13.1028.1 (HKLM-x32\...\{6B4ED6F7-BB88-4945-B0C6-01410E1BAC3A}) (Version: 1.00.0000 - GIGABYTE) Hidden
ON_OFF Charge 2 B13.1028.1 (HKLM-x32\...\InstallShield_{6B4ED6F7-BB88-4945-B0C6-01410E1BAC3A}) (Version: 1.00.0000 - GIGABYTE)
Pantum P2500W Series (HKLM\...\Pantum P2500W Series) (Version: 5.1.1.23 - Zhuhai Seine Technology Co., Ltd.)
Platform (HKLM-x32\...\{20D4A895-748C-4D88-871C-FDB1695B0169}) (Version: 1.42 - VIA Technologies, Inc.) Hidden
QuickTime 7 (HKLM-x32\...\{627FFC10-CE0A-497F-BA2B-208CAC638010}) (Version: 7.77.80.95 - Apple Inc.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.18.621.2013 - Realtek)
Skype™ 7.17 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.17.105 - Skype Technologies S.A.)
SmartSound Quicktracks for Premiere Elements (HKLM-x32\...\{F6234880-85BE-4DCB-8A45-1FF85A1A8552}) (Version: 3.11.3090 - SmartSound Software Inc) Hidden
SmartSound Quicktracks for Premiere Elements (HKLM-x32\...\InstallShield_{F6234880-85BE-4DCB-8A45-1FF85A1A8552}) (Version: 3.11.3090 - SmartSound Software Inc)
SpeedFan (remove only) (HKLM-x32\...\SpeedFan) (Version: - )
TechPowerUp GPU-Z (HKLM-x32\...\TechPowerUp GPU-Z) (Version: - TechPowerUp)
VIA Platform Device Manager (HKLM-x32\...\InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}) (Version: 1.42 - VIA Technologies, Inc.)
VirtualCloneDrive (HKLM-x32\...\VirtualCloneDrive) (Version: 5.4.7.0 - Elaborate Bytes)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.1 - VideoLAN)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3528.0331 - Microsoft Corporation)
Zune (HKLM\...\Zune) (Version: 04.08.2345.00 - Microsoft Corporation)

========================= Devices: ================================

Name: Unknown USB Device (Device Descriptor Request Failed)
Description: Unknown USB Device (Device Descriptor Request Failed)
Class Guid: {36fc9e60-c465-11cf-8056-444553540000}
Manufacturer: (Standard USB Host Controller)
Service:
Device ID: USB\VID_0000&PID_0002\5&106F75EA&0&4
Problem: : Windows has stopped this device because it has reported problems. (Code 43)
Resolution: One of the drivers controlling the device notified the operating system that the device failed in some manner. For more information about how to diagnose the problem, see the hardware documentation.


========================= Memory info: ===================================

Percentage of memory in use: 36%
Total physical RAM: 8156.65 MB
Available physical RAM: 5197.64 MB
Total Virtual: 9436.65 MB
Available Virtual: 6164.75 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:222.61 GB) (Free:172.79 GB) NTFS
2 Drive d: (Docs) (Fixed) (Total:73.06 GB) (Free:26.35 GB) ReFS
3 Drive e: (Media) (Fixed) (Total:372.61 GB) (Free:294.66 GB) NTFS
6 Drive p: (OS Backup) (Fixed) (Total:233.89 GB) (Free:233.36 GB) NTFS
7 Drive q: (Backup) (Fixed) (Total:697.62 GB) (Free:24.23 GB) NTFS

========================= Users: ========================================

User accounts for \\FRANKENSTEIN

Administrator Bryan Temp DefaultAccount
Guest

========================= Minidump Files ==================================

C:\WINDOWS\Minidump\013016-11859-01.dmp
========================= Restore Points ==================================

18-03-2016 01:15:20 Scheduled Checkpoint
23-03-2016 23:29:28 Windows Update
30-03-2016 21:12:00 Removed F-Secure

**** End of log ****


here =/= hear
their =/= there =/= they're
quiet =/= quite
Newegg commenters can't speel! :)

#4 Jo*

Jo*

  • Malware Response Team
  • 3,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:17 AM

Posted 30 March 2016 - 05:19 PM

Hello,

:step1: Run Malwarebytes Anti-Rootkit again: Right-click mbar.exe and select Run As Administrator
  • Scan your system for malware
  • If malware is found, click on the Cleanup
  • button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • then please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step2: Double click on AdwCleaner.exe to run the tool again.
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • When the scan has finished, the actual line should say "Pending. Please uncheck elements you do not want to remove". Look through the scan results and uncheck any entries that you do not wish to remove.
  • This time, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[C#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

***


:step3: Please download Junkware Removal Tool from HERE and save it to your desktop.
Shutdown your antivirus to avoid any potential conflicts.
Double click JRT.exe to run the tool.
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • JRT will begin to backup your registry and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, the log JRT.txt is saved on your desktop and will automatically open.
Enable your antivirus!
Post the contents of JRT.txt into your next reply.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#5 jazzman831

jazzman831
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 AM

Posted 30 March 2016 - 08:22 PM

Step 1: No Malware Found

 

Step 2:

 

# AdwCleaner v5.108 - Logfile created 30/03/2016 at 21:04:28
# Updated 30/03/2016 by Xplode
# Database : 2016-03-30.1 [Server]
# Operating system : Windows 10 Home  (x64)
# Username : Bryan Temp - FRANKENSTEIN
# Running from : D:\Downloads\AdwCleaner.exe
# Option : Clean
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

[-] Folder Deleted : C:\Program Files (x86)\eSupport.com
[-] Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eSupport.com
[-] Folder Deleted : C:\Users\Bryan Temp\AppData\Local\eSupport.com

***** [ Files ] *****


***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKCU\Software\eSupport.com
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DriverAgent_is1
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.com%2F23-ridiculously-easy-recipes-people-cant-cook%2F&h=CAQGFDp3a&s=1&enc=AZOBwjusKv8zuy7lt1cy07aBywut9oSXwCt4WWtbGWON6O7ufaUAIjHvAIVAQ414y632q0JuJfR82GgehRtd87sM
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gov%2Fdetail%2Fcoconino%2Fnews-events%2F%3Fcid%3DSTELPRD3827709&h=NAQHJIzma&s=1&enc=AZMH7tBXheARz28420JUTzrEIKmBBLwrS6KGQ7LzkmXxDN9n8WXTwtbNaysiV9s_-_zaILz6HtHp7Be2fOJgqH4z

***** [ Web browsers ] *****


*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [1540 bytes] - [30/03/2016 21:04:28]
C:\AdwCleaner\AdwCleaner[S1].txt - [1645 bytes] - [30/03/2016 17:45:04]
C:\AdwCleaner\AdwCleaner[S2].txt - [1718 bytes] - [30/03/2016 20:56:52]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1759 bytes] ##########

 

Step 3:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.4 (03.14.2016)
Operating System: Windows 10 Home x64
Ran by Bryan Temp (Administrator) on Wed 03/30/2016 at 21:18:13.04
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 1

Successfully deleted: C:\ProgramData\esellerate (Folder)

Deleted the following from C:\Users\Bryan Temp\AppData\Roaming\Mozilla\Firefox\Profiles\ewgg4wjq.default\prefs.js
user_pref(browser.urlbar.suggest.searches, true);



Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 03/30/2016 at 21:19:18.61
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 


here =/= hear
their =/= there =/= they're
quiet =/= quite
Newegg commenters can't speel! :)

#6 Jo*

Jo*

  • Malware Response Team
  • 3,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:17 AM

Posted 31 March 2016 - 01:20 AM

Hi,

:step1: Download Sophos Free Virus Removal Tool and save it to your desktop.
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program

***


:step2: ZN3USrZ.png Emsisoft Emergency Kit
  • Click here to download Emsisoft Emergency Kit. The download will automatically start after a moment.
  • Save EmsisoftEmergencyKit.exe to your Desktop.
  • Double click on EmsisoftEmergencyKit.exe (Windows Vista/7/8 users: Accept UAC warning if it is enabled). A screen like this will appear:
    dQVDkTW.png
  • Leave everything as it is, then click Extract. This will unpack Emsisoft Emergency Kit to the EEK folder located in the root drive (usually C:\).
  • Once the extraction is done, an icon qwL1Upn.png will appear on your Desktop. Double click it to start Emsisoft Emergency Kit.
  • Wait for Emsisoft Emergency Kit to finish loading signatures. A screen like this should appear:
    yEgPemv.png
  • Choose Yes, then wait for EEK to finish updating.
  • Choose Malware Scan under the Scan button. When EEK asks to activate PUP detection, choose Yes.
  • Wait for the scan to finish.
    RUeRoi4.png
  • If EEK detects something, all detected items will be displayed. Place a checkmark before everything, then choose Quarantine Selected.
  • If Emsisoft Emergency Kit asks to reboot, please do so immediately.
  • The scan log is located in Logs -> Scan Logs. Click on the entry of the latest scan, choose Export and save the report on your Desktop.
    P7FSALs.png
  • Please Copy and Paste the contents of the scan log in your next reply.

***


:step3: How the computer is running now?

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#7 jazzman831

jazzman831
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 AM

Posted 31 March 2016 - 04:43 PM

Step 1:

 

2016-03-31 09:50:35.322    Sophos Virus Removal Tool version 2.5.5
2016-03-31 09:50:35.322    Copyright © 2009-2014 Sophos Limited. All rights reserved.

2016-03-31 09:50:35.322    This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them.

2016-03-31 09:50:35.322    Windows version 6.2 SP 0.0  build 9200 SM=0x300 PT=0x1 WOW64
2016-03-31 09:50:35.322    Checking for updates...
2016-03-31 09:50:35.338    Update progress: proxy server not available
2016-03-31 09:50:43.235    Option all = no
2016-03-31 09:50:43.235    Option recurse = yes
2016-03-31 09:50:43.235    Option archive = no
2016-03-31 09:50:43.235    Option service = yes
2016-03-31 09:50:43.235    Option confirm = yes
2016-03-31 09:50:43.235    Option sxl = yes
2016-03-31 09:50:43.235    Option max-data-age = 35
2016-03-31 09:50:43.235    Option EnableSafeClean = yes
2016-03-31 09:50:44.772    Option vdl-logging = yes
2016-03-31 09:50:44.772    Customer ID:    094260ca9b3af99f9d4a3909fc47a743
2016-03-31 09:50:44.772    Machine ID:    d7d247654825437bbc0cbec300f452d1
2016-03-31 09:50:44.772    Component SVRTcli.exe version 2.5.5
2016-03-31 09:50:44.772    Component control.dll version 2.5.5
2016-03-31 09:50:44.772    Component SVRTservice.exe version 2.5.5
2016-03-31 09:50:44.772    Component engine\osdp.dll version 1.44.1.2240
2016-03-31 09:50:44.772    Component engine\veex.dll version 3.64.0.2240
2016-03-31 09:50:44.772    Component engine\savi.dll version 9.0.0.2240
2016-03-31 09:50:44.772    Component rkdisk.dll version 1.5.30.0
2016-03-31 09:50:44.772    Version info:    Product version    2.5.5
2016-03-31 09:50:44.772    Version info:    Detection engine    3.64.0
2016-03-31 09:50:44.772    Version info:    Detection data    5.25
2016-03-31 09:50:44.772    Version info:    Build date    3/8/2016
2016-03-31 09:50:44.772    Version info:    Data files added    280
2016-03-31 09:50:44.772    Version info:    Last successful update    (not yet updated)
2016-03-31 09:50:51.019    Downloading updates...
2016-03-31 09:50:51.019    Update progress: [I96736] Looking for package C1A903B2-E63E-483b-982D-04BB9C457C60 1.0
2016-03-31 09:50:51.019    Update progress: [I49502] Found supplement SAVIW32 LATEST
2016-03-31 09:50:51.019    Update progress: [I49502] Found supplement IDE526 LATEST
2016-03-31 09:50:51.019    Update progress: [I49502] Found supplement IDE527 LATEST
2016-03-31 09:50:51.019    Update progress: [I49502] Found supplement IDE528 LATEST
2016-03-31 09:50:51.019    Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 1
2016-03-31 09:50:51.019    Update progress: [I19463] Syncing product SAVIW32 68
2016-03-31 09:50:51.519    Update progress: [I19463] Syncing product IDE526 167
2016-03-31 09:50:51.782    Installing updates...
2016-03-31 09:50:52.415    Error level 1
2016-03-31 09:50:52.421    Update progress: [I19463] Syncing product IDE527 115
2016-03-31 09:50:52.421    Update progress: [I19463] Syncing product IDE528 1
2016-03-31 09:50:56.400    Update successful
2016-03-31 09:51:04.382    Option all = no
2016-03-31 09:51:04.382    Option recurse = yes
2016-03-31 09:51:04.382    Option archive = no
2016-03-31 09:51:04.382    Option service = yes
2016-03-31 09:51:04.382    Option confirm = yes
2016-03-31 09:51:04.382    Option sxl = yes
2016-03-31 09:51:04.384    Option max-data-age = 35
2016-03-31 09:51:04.384    Option EnableSafeClean = yes
2016-03-31 09:51:04.839    Option vdl-logging = yes
2016-03-31 09:51:04.839    Customer ID:    094260ca9b3af99f9d4a3909fc47a743
2016-03-31 09:51:04.839    Machine ID:    d7d247654825437bbc0cbec300f452d1
2016-03-31 09:51:04.839    Component SVRTcli.exe version 2.5.5
2016-03-31 09:51:04.839    Component control.dll version 2.5.5
2016-03-31 09:51:04.839    Component SVRTservice.exe version 2.5.5
2016-03-31 09:51:04.839    Component engine\osdp.dll version 1.44.1.2240
2016-03-31 09:51:04.839    Component engine\veex.dll version 3.64.0.2240
2016-03-31 09:51:04.839    Component engine\savi.dll version 9.0.0.2240
2016-03-31 09:51:04.839    Component rkdisk.dll version 1.5.30.0
2016-03-31 09:51:04.839    Version info:    Product version    2.5.5
2016-03-31 09:51:04.854    Version info:    Detection engine    3.64.0
2016-03-31 09:51:04.854    Version info:    Detection data    5.25
2016-03-31 09:51:04.854    Version info:    Build date    3/8/2016
2016-03-31 09:51:04.854    Version info:    Data files added    280
2016-03-31 09:51:04.854    Version info:    Last successful update    3/31/2016 5:50:56 AM

2016-03-31 10:31:07.771    Sophos Virus Removal Tool version 2.5.5
2016-03-31 10:31:07.771    Copyright © 2009-2014 Sophos Limited. All rights reserved.

2016-03-31 10:31:07.771    This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them.

2016-03-31 10:31:07.771    Windows version 6.2 SP 0.0  build 9200 SM=0x300 PT=0x1 WOW64
2016-03-31 10:31:07.771    Checking for updates...
2016-03-31 10:31:07.792    Update progress: proxy server not available
2016-03-31 10:31:16.863    Downloading updates...
2016-03-31 10:31:16.863    Update progress: [I96736] Looking for package C1A903B2-E63E-483b-982D-04BB9C457C60 1.0
2016-03-31 10:31:16.863    Update progress: [I49502] Found supplement SAVIW32 LATEST
2016-03-31 10:31:16.863    Update progress: [I49502] Found supplement IDE526 LATEST
2016-03-31 10:31:16.863    Update progress: [I49502] Found supplement IDE527 LATEST
2016-03-31 10:31:16.863    Update progress: [I49502] Found supplement IDE528 LATEST
2016-03-31 10:31:16.863    Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 1
2016-03-31 10:31:16.863    Update progress: [I19463] Syncing product SAVIW32 68
2016-03-31 10:31:16.863    Update progress: [I19463] Syncing product IDE526 167
2016-03-31 10:31:16.910    Option all = no
2016-03-31 10:31:16.910    Option recurse = yes
2016-03-31 10:31:16.910    Option archive = no
2016-03-31 10:31:16.910    Option service = yes
2016-03-31 10:31:16.910    Option confirm = yes
2016-03-31 10:31:16.910    Option sxl = yes
2016-03-31 10:31:16.910    Option max-data-age = 35
2016-03-31 10:31:16.910    Option EnableSafeClean = yes
2016-03-31 10:31:17.327    Update progress: [I19463] Syncing product IDE527 116
2016-03-31 10:31:17.428    Installing updates...
2016-03-31 10:31:17.466    Option vdl-logging = yes
2016-03-31 10:31:18.085    Customer ID:    094260ca9b3af99f9d4a3909fc47a743
2016-03-31 10:31:18.085    Machine ID:    d7d247654825437bbc0cbec300f452d1
2016-03-31 10:31:18.085    Component SVRTcli.exe version 2.5.5
2016-03-31 10:31:18.085    Component control.dll version 2.5.5
2016-03-31 10:31:18.085    Component SVRTservice.exe version 2.5.5
2016-03-31 10:31:18.085    Component engine\osdp.dll version 1.44.1.2240
2016-03-31 10:31:18.085    Component engine\veex.dll version 3.64.0.2240
2016-03-31 10:31:18.085    Component engine\savi.dll version 9.0.0.2240
2016-03-31 10:31:18.085    Component rkdisk.dll version 1.5.30.0
2016-03-31 10:31:18.085    Version info:    Product version    2.5.5
2016-03-31 10:31:18.085    Version info:    Detection engine    3.64.0
2016-03-31 10:31:18.085    Version info:    Detection data    5.25
2016-03-31 10:31:18.085    Version info:    Build date    3/8/2016
2016-03-31 10:31:18.085    Version info:    Data files added    280
2016-03-31 10:31:18.085    Version info:    Last successful update    3/31/2016 5:50:56 AM
2016-03-31 10:31:18.085    Error level 1
2016-03-31 10:31:18.241    Update progress: [I19463] Syncing product IDE528 1
2016-03-31 10:31:18.309    Update successful
2016-03-31 10:31:25.797    Option all = no
2016-03-31 10:31:25.797    Option recurse = yes
2016-03-31 10:31:25.797    Option archive = no
2016-03-31 10:31:25.797    Option service = yes
2016-03-31 10:31:25.797    Option confirm = yes
2016-03-31 10:31:25.797    Option sxl = yes
2016-03-31 10:31:25.799    Option max-data-age = 35
2016-03-31 10:31:25.799    Option EnableSafeClean = yes
2016-03-31 10:31:26.264    Option vdl-logging = yes
2016-03-31 10:31:26.279    Customer ID:    094260ca9b3af99f9d4a3909fc47a743
2016-03-31 10:31:26.279    Machine ID:    d7d247654825437bbc0cbec300f452d1
2016-03-31 10:31:26.279    Component SVRTcli.exe version 2.5.5
2016-03-31 10:31:26.279    Component control.dll version 2.5.5
2016-03-31 10:31:26.279    Component SVRTservice.exe version 2.5.5
2016-03-31 10:31:26.279    Component engine\osdp.dll version 1.44.1.2240
2016-03-31 10:31:26.279    Component engine\veex.dll version 3.64.0.2240
2016-03-31 10:31:26.279    Component engine\savi.dll version 9.0.0.2240
2016-03-31 10:31:26.279    Component rkdisk.dll version 1.5.30.0
2016-03-31 10:31:26.279    Version info:    Product version    2.5.5
2016-03-31 10:31:26.279    Version info:    Detection engine    3.64.0
2016-03-31 10:31:26.279    Version info:    Detection data    5.25
2016-03-31 10:31:26.279    Version info:    Build date    3/8/2016
2016-03-31 10:31:26.279    Version info:    Data files added    281
2016-03-31 10:31:26.279    Version info:    Last successful update    3/31/2016 6:31:18 AM
2016-03-31 10:32:11.475    Error level 1

2016-03-31 10:32:11.477    Scan completed.
2016-03-31 10:32:11.477    

------------------------------------------------------------

2016-03-31 10:35:01.008    Sophos Virus Removal Tool version 2.5.5
2016-03-31 10:35:01.008    Copyright © 2009-2014 Sophos Limited. All rights reserved.

2016-03-31 10:35:01.008    This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them.

2016-03-31 10:35:01.008    Windows version 6.2 SP 0.0  build 9200 SM=0x300 PT=0x1 WOW64
2016-03-31 10:35:01.009    Checking for updates...
2016-03-31 10:35:01.022    Update progress: proxy server not available
2016-03-31 10:35:08.455    Update not required
2016-03-31 10:35:10.912    Option all = no
2016-03-31 10:35:10.912    Option recurse = yes
2016-03-31 10:35:10.912    Option archive = no
2016-03-31 10:35:10.912    Option service = yes
2016-03-31 10:35:10.912    Option confirm = yes
2016-03-31 10:35:10.912    Option sxl = yes
2016-03-31 10:35:10.912    Option max-data-age = 35
2016-03-31 10:35:10.912    Option EnableSafeClean = yes
2016-03-31 10:35:11.497    Option vdl-logging = yes
2016-03-31 10:35:11.513    Customer ID:    094260ca9b3af99f9d4a3909fc47a743
2016-03-31 10:35:11.513    Machine ID:    d7d247654825437bbc0cbec300f452d1
2016-03-31 10:35:11.513    Component SVRTcli.exe version 2.5.5
2016-03-31 10:35:11.513    Component control.dll version 2.5.5
2016-03-31 10:35:11.513    Component SVRTservice.exe version 2.5.5
2016-03-31 10:35:11.513    Component engine\osdp.dll version 1.44.1.2240
2016-03-31 10:35:11.513    Component engine\veex.dll version 3.64.0.2240
2016-03-31 10:35:11.513    Component engine\savi.dll version 9.0.0.2240
2016-03-31 10:35:11.513    Component rkdisk.dll version 1.5.30.0
2016-03-31 10:35:11.513    Version info:    Product version    2.5.5
2016-03-31 10:35:11.513    Version info:    Detection engine    3.64.0
2016-03-31 10:35:11.513    Version info:    Detection data    5.25
2016-03-31 10:35:11.513    Version info:    Build date    3/8/2016
2016-03-31 10:35:11.513    Version info:    Data files added    281
2016-03-31 10:35:11.513    Version info:    Last successful update    3/31/2016 6:31:18 AM

2016-03-31 10:59:04.674    Warning: rootkit scan failed to open device "\\?\Volume{f774d99c-dca1-11e4-8268-fcaa140adb0d}" (1)
2016-03-31 10:59:41.338    Could not open C:\hiberfil.sys
2016-03-31 10:59:41.353    Could not open C:\pagefile.sys
2016-03-31 11:12:17.237    Could not open C:\swapfile.sys
2016-03-31 11:12:17.353    Could not open C:\System Volume Information\{260e870d-f667-11e5-82e0-fcaa140adb0d}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-03-31 11:12:17.353    Could not open C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-03-31 11:12:17.353    Could not open C:\System Volume Information\{92d760ad-f668-11e5-82e1-fcaa140adb0d}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-03-31 11:12:17.353    Could not open C:\System Volume Information\{92d76504-f668-11e5-82e1-fcaa140adb0d}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-03-31 11:12:17.353    Could not open C:\System Volume Information\{a624c288-f6dc-11e5-82e2-fcaa140adb0d}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-03-31 11:12:17.353    Could not open C:\System Volume Information\{b7e4b1b7-f0b0-11e5-82d7-fcaa140adb0d}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-03-31 11:12:17.353    Could not open C:\System Volume Information\{ec5487f5-f72b-11e5-82e5-fcaa140adb0d}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-03-31 11:18:47.957    Could not open C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
2016-03-31 11:18:47.957    Could not open C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
2016-03-31 11:18:49.585    Could not open C:\Windows\System32\config\BBI
2016-03-31 11:18:49.616    Could not open C:\Windows\System32\config\RegBack\DEFAULT
2016-03-31 11:18:49.616    Could not open C:\Windows\System32\config\RegBack\SAM
2016-03-31 11:18:49.616    Could not open C:\Windows\System32\config\RegBack\SECURITY
2016-03-31 11:18:49.616    Could not open C:\Windows\System32\config\RegBack\SOFTWARE
2016-03-31 11:18:49.616    Could not open C:\Windows\System32\config\RegBack\SYSTEM
2016-03-31 11:35:36.243    >>> Virus 'Mal/Generic-S' found in file D:\To Sort\RCT3plus.exe
2016-03-31 11:35:36.243    >>> Virus 'Mal/Generic-S' found in file D:\To Sort\RCT3plus.exe
2016-03-31 11:35:36.243    >>> Virus 'Mal/Generic-S' found in file D:\To Sort\RCT3plus.exe
2016-03-31 11:43:15.896    Could not open LOGICAL:0015:00000000
2016-03-31 11:43:15.911    Could not open V:\
2016-03-31 11:43:15.911    Could not open LOGICAL:0016:00000000
2016-03-31 11:43:15.927    Could not open W:\
2016-03-31 11:43:15.927    Could not open LOGICAL:0017:00000000
2016-03-31 11:43:15.927    Could not open X:\
2016-03-31 11:43:15.943    Could not open LOGICAL:0018:00000000
2016-03-31 11:43:15.943    Could not open Y:\
2016-03-31 11:43:15.943    Could not open LOGICAL:0019:00000000
2016-03-31 11:43:15.958    Could not open Z:\
2016-03-31 11:45:10.023    Could not open PHYSICAL:0086:0000:0000:0001
2016-03-31 11:45:10.023    Could not open PHYSICAL:0087:0000:0000:0001
2016-03-31 11:45:10.039    Could not open PHYSICAL:0088:0000:0000:0001
2016-03-31 11:45:10.039    Could not open PHYSICAL:0089:0000:0000:0001
2016-03-31 11:45:10.039    Could not open PHYSICAL:008A:0000:0000:0001
2016-03-31 11:45:10.039    The following items will be cleaned up:
2016-03-31 11:45:10.039    Mal/Generic-S
 

Step 2:

 

Emsisoft Emergency Kit - Version 11.0
Scan log

Date    Scan Method    Objects Scanned    Objects Detected    Duration    Type    
3/31/2016 5:31:36 PM    Malware    86792    2    0:02:14    Manual scan    
 

Step 3:

 

Everything seems to be working fine. Of course, I wasn't having any problems before, either.


here =/= hear
their =/= there =/= they're
quiet =/= quite
Newegg commenters can't speel! :)

#8 Jo*

Jo*

  • Malware Response Team
  • 3,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:17 AM

Posted 01 April 2016 - 02:45 AM

Hello again,

:step1: We need to download Temp File Cleaner (TFC) by OldTimer:
  • Please download TFC.exe by Oldtimer at one of the two links: Link 1 Link 2
  • Save and close all running applications
  • Double-click on TFC.exe to run the program
  • Click on Start to begin the cleaning process note: this program may close running applications, make your screen disappear temporarily, or require a reboot of your PC - this is normal and part of the cleanup
  • When the scan is complete, if you were not asked to reboot the computer, please do so now
More Information can be found about the tool here:
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/



***


:step2: Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
- Kaspersky Lab report: Evaluating the threat level of software vulnerabilities
- Microsoft: Unprecedented Wave of Java Exploitation
- Ghosts of Java Haunt Users

Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 8 and save it to your desktop.
  • Under "Java Platform, Standard Edition"...click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select (click on) the download link for your operating system (Windows x86 Offline: jre-8u66-windows-i586.exe or Windows x64: jre-8u66-windows-x64.exe) and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to StartBtn.gif > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7/8 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-8u66-windows-i586.exe (or jre-8u66-windows-x64.exe for 64-bit) to install the newest version.
  • If using Windows 7/8 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered any unwanted software or toolbars during installation, just uncheck the box before continuing unless you want it. The McAfee Security Scan Plus may be installed unless you uncheck the McAfee installation box when updating Java.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version. However, be aware that the Java updater prompts you to make Yahoo Search your browser's default search engine and home page...the option is pre-checked.


***


:step3: ESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.
Open the scan log and copy and paste the content to your next reply.
 

***


:step4: How the computer is running now?


***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#9 jazzman831

jazzman831
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 AM

Posted 02 April 2016 - 10:30 AM

Step 1:

Complete!

 

Step 2:

Complete!

 

Step 3:

My computer crashed the first time I did the scan, so I don't have the log file. This has been an intermittent issue since I built the computer over a year ago -- it's hardware related and I haven't been able to figure it out yet. However, it did find three things that I don't think are actually threats:

 

    C:\Program Files (x86)\EaseUS\Todo Backup\BUILDPE\EaseUS\tb\bin\PxeServer.dll

    C:\Program Files (x86)\EaseUS\Todo Backup\PxeServer.dll

    C:\Program Files (x86)\EaseUS Partition Master 10.2\bin\tb_free.exe

 

EaseUS is the program I use to set my automatic backups, and I used it to put the initial partitions on my hard drives.

 

Step 4:

Everything seems to be working ok.


here =/= hear
their =/= there =/= they're
quiet =/= quite
Newegg commenters can't speel! :)

#10 Jo*

Jo*

  • Malware Response Team
  • 3,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:17 AM

Posted 02 April 2016 - 11:05 AM

It Appears That Your Pc Is Now Clean!


***


Clean up:


***


Right-click AdwCleaner.exe and select Run As Administrator.
  • Click on the Uninstall button.
  • A window will open, press the Confirm button.
  • AdwCleaner will uninstall now.

***


Clean up with delfix:
  • please download delfix to your desktop.
  • Close all other programms and start delfix.
  • Please check all the boxes and run the tool.
  • delfix will now delete all found traces of our removal process

***


Delete the log files our tools created; they are located at your desktop or at the
"c:\users\{.......}\Downloads" folder.
Highlight them, and press the del or delete key on the keyboard.
You can browse to the location of the file or folder using either My Computer or Windows Explorer.


***


Here are some Preventive tips to reduce the potential for spyware infection in the future

:step1: Browse more secure :step2: Make sure you keep your Windows OS current.
  • Windows XP users can visit Windows update regularly to download and install any critical updates and service packs.
  • Windows Vista / 7 / 8 users can update via
    Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane).
:step3: Avoid P2P
  • If you think you're using a "safe" P2P program, only the program is safe, not the data.
  • You will share files from unsafe sources, and these may be infected.
  • Some bad guys use P2P filesharing as an important chanel to spread their wares.
:step4: Use only one anti-virus software and keep it up-to-date.

:step5: Firewall
Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

:step6: Backup regularly
You never know when your PC will become unstable or become so infected that you can't recover it.

:step7: Use Strong passwords!

:step8: Email attachments
Do not open any unknown email attachments, which you received without asking for it!


Extra note:
Keep your Browser, Java, pdf Reader and Adobe Flash Up to Date.
And you could install Malwarebytes Anti-Exploit to run alongside your traditional anti-virus or anti-malware products.

Make sure your programs are up to date - because older versions may contain Security Leaks.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#11 jazzman831

jazzman831
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 AM

Posted 02 April 2016 - 12:16 PM

Thank you so much Jo!!


here =/= hear
their =/= there =/= they're
quiet =/= quite
Newegg commenters can't speel! :)

#12 Jo*

Jo*

  • Malware Response Team
  • 3,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:17 AM

Posted 02 April 2016 - 12:31 PM


You are welcome.
Glad we could help.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users