Solved Modem becomes christmas tree

October 15, 2014 at 12:12:06
Specs: Windows 7
I don't really know what I am doing, but when I plug in the laptop (cable or wireless) and the modem lights up like a blinking Christmas tree I know something isn't right and it seems I am bleeding data and connecting to a site has about a 1 in 4 chance of success.
It was suggested to post the HijackThis file here.
Please help and take it slow, I am a noob at this.

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 8:54:38 PM, on 15-Oct-14
Platform: Unknown Windows (WinNT 6.02.1008)
MSIE: Internet Explorer v11.0 (11.00.9600.17278)

FIREFOX: 33.0 (x86 nl)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
C:\Users\Tosh\AppData\Roaming\uTorrent\uTorrent.exe
C:\Program Files (x86)\TOSHIBA\PasswordUtility\readLM.exe
C:\Program Files (x86)\AVG\AVG2014\avgui.exe
C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
C:\Windows\SysWOW64\ctfmon.exe
C:\Program Files (x86)\SRWare Iron\chrome.exe
C:\Program Files (x86)\SRWare Iron\chrome.exe
C:\Program Files (x86)\SRWare Iron\chrome.exe
C:\Program Files (x86)\SRWare Iron\chrome.exe
C:\Program Files (x86)\SRWare Iron\chrome.exe
C:\Program Files (x86)\SRWare Iron\chrome.exe
C:\Program Files (x86)\SRWare Iron\chrome.exe
C:\Users\Tosh\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files (x86)\SRWare Iron\chrome.exe
C:\Program Files (x86)\SRWare Iron\chrome.exe
C:\Users\Tosh\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshiba13.msn.com/?pc=TEJB
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?L...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?L...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office15\URLREDIR.DLL
O2 - BHO: Microsoft SkyDrive Pro Browser Helper - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\PROGRA~2\MICROS~1\Office15\GROOVEEX.DLL
O4 - HKLM\..\Run: [AmIcoSinglun64] "C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe"
O4 - HKLM\..\Run: [1.TPUReg] "C:\Program Files (x86)\TOSHIBA\PasswordUtility\readLM.exe"
O4 - HKLM\..\Run: [TSVU] "c:\Program Files\TOSHIBA\TOSHIBA Smart View Utility\TosSmartViewLauncher.exe"
O4 - HKLM\..\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2014\avgui.exe" /TRAYONLY
O4 - HKLM\..\Run: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files (x86)\Common Files\Corel\Corel PhotoDownloader\Corel PhotoDownloader.exe" -startup
O4 - HKLM\..\Run: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
O4 - HKCU\..\Run: [Spotify Web Helper] "C:\Program Files (x86)\Spotify\Data\SpotifyWebHelper.exe"
O4 - HKCU\..\Run: [Akamai NetSession Interface] "C:\Users\Tosh\AppData\Local\Akamai\netsession_win.exe"
O4 - HKCU\..\Run: [uTorrent] "C:\Users\Tosh\AppData\Roaming\uTorrent\uTorrent.exe" /MINIMIZED
O4 - HKCU\..\Run: [Epic Privacy Browser Update] "C:\Users\Tosh\AppData\Local\Epic Privacy Browser\Update\EpicUpdate.exe" /c
O4 - HKCU\..\Run: [EPLTarget\P0000000000000000] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATILFE.EXE /EPT "EPLTarget\P0000000000000000" /M "XP-312 313 315 Series"
O4 - HKCU\..\Run: [EPLTarget\P0000000000000001] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATILFE.EXE /EPT "EPLTarget\P0000000000000001" /M "XP-312 313 315 Series"
O4 - HKCU\..\Run: [EPLTarget\P0000000000000002] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATILFE.EXE /EPT "EPLTarget\P0000000000000002" /M "XP-312 313 315 Series"
O4 - HKCU\..\Run: [EPLTarget\P0000000000000003] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATILFE.EXE /EPT "EPLTarget\P0000000000000003" /M "XP-312 313 315 Series"


See More: Modem becomes christmas tree

Report •


✔ Best Answer
October 17, 2014 at 14:55:47
You are now clean. Am I being hacked, I doubt it, will deal with that soon.

A lot of programs, now give you the choice to install toolbars & other during the install. Either uncheck these items during install, or use Custom install. No more click, click during an install, you have to read after each click.

I use Softpedia, down the bottom of the page, they make you aware what Ad-supported programs the author of the program has included.
Sample pages
http://www.softpedia.com/get/CD-DVD...
First and foremost, extra attention needs to be paid during installation as ImgBurn offers to create desktop shortcuts to third-party apps, as well as install a browser toolbar onto the host computer, which are not required to ensure the smooth running of the app.
SS of above.
http://i.imgur.com/jgGYNsP.gif
This is what ImgBurn tries to install.
http://i.imgur.com/ms4DzE9.gif
http://i.imgur.com/vVkd39a.gif
http://i.imgur.com/rqFVaHs.gif
http://i.imgur.com/sm1T7h6.gif
http://i.imgur.com/vhkKLYo.gif

I did not run Debut Video Capture Software, down the bottom of the Sofdtpedia page it says this.
Users are advised to pay attention while installing this ad-supported application:
Offers to change the homepage for web browsers installed in the system
Offers to change the default search engine for web browsers installed in the system
Offers to download or install software or components (such as browser toolbars) that the program does not require to fully function
http://www.softpedia.com/get/Multim...

Use Unchecky to help prevent these third party installs. Nothing is perfect, the badies are always ahead of the goodies, so be vigilant.
http://www.softpedia.com/get/System...
http://unchecky.com/
A reliable application that aims to protect your computer against third-party components often offered during software installations.



#1
October 15, 2014 at 13:42:15
This is a starting point, we will probably have to dig deeper.

Run both of these, in this order.

Step 1: Run AdwCleaner
http://www.softpedia.com/get/Antivi...
http://www.raymond.cc/blog/adwclean...
http://www.bleepingcomputer.com/dow...
Author's site
http://general-changelog-team.fr/en...
Tutorial
http://general-changelog-team.fr/en...
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Clean.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please Copy & Paste the contents of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

Step 2: Run Junkware Removal Tool
http://www.softpedia.com/get/Securi...
http://www.bleepingcomputer.com/dow...
http://thisisudax.blogspot.com.au/2...
Download Junkware Removal Tool onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Warning! Once the scan is complete JRT will shut down your browser with NO warning.
Shut down your protection software now to avoid potential conflicts.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan.
Click this link to see a list of security programs that should be disabled and how to disable them.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Run the tool by double-clicking it. If you are using Windows Vista or Windows 7/8, right-click JRT and select Run as Administrator.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved onto your Desktop and will automatically open.
Copy and Paste the contents of the JRT.txt log please.


Report •

#2
October 15, 2014 at 13:46:11
Is it possible that utorrent is downloading a bunch of movies or music??? It runs on startup, and continues downloading any torrent files (the music and movies).

To err is human but to really screw things up, you need a computer!


Report •

#3
October 15, 2014 at 14:05:10
# AdwCleaner v4.000 - Report created 15/10/2014 at 23:01:19
# DB v2014-10-15.7
# Updated 12/10/2014 by Xplode
# Operating System : Windows 8.1 (64 bits)
# Username : Tosh - TOSHIBA
# Running from : C:\Users\Tosh\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\NCH Software
Folder Deleted : C:\Program Files (x86)\NCH Software
Folder Deleted : C:\Users\Tosh\AppData\Roaming\NCH Software
File Deleted : C:\Users\Tosh\AppData\Roaming\Mozilla\Firefox\Profiles\hye7hp0f.default\user.js

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17278


-\\ Mozilla Firefox v33.0 (x86 nl)


-\\ Google Chrome v


*************************

AdwCleaner[R0].txt - [1747 octets] - [15/10/2014 22:59:23]
AdwCleaner[S0].txt - [1443 octets] - [15/10/2014 23:01:19]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1503 octets] ##########


Report •

Related Solutions

#4
October 15, 2014 at 14:08:24
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.3.3 (10.14.2014:1)
OS: Windows 8.1 x64
Ran by Tosh on 15-Oct-14 at 23:05:52.45
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

Successfully deleted: [File] "C:\Windows\wininit.ini"

~~~ Folders

~~~ FireFox

Emptied folder: C:\Users\Tosh\AppData\Roaming\mozilla\firefox\profiles\hye7hp0f.default\minidumps [3 files]

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 15-Oct-14 at 23:07:59.54
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Report •

#5
October 15, 2014 at 14:12:16
and utorrent is just seeding the books I have written and am seeding for free. If you like science fiction, then by all means and as thanks for all the help I'll get, download the 'Foothold of Tethys' torrents. :)

Report •

#6
October 15, 2014 at 14:12:58
Step 3: Update & Run Malwarebytes' Anti-Malware ( MBAM ) Free Version. Use Quick scan ( now called Threat Scan )
Make sure you uncheck > Enable free trial < at the END of the install.
http://i.imgur.com/tUFCbYz.gif
Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box to Scan for rootkits.
http://i.imgur.com/dZgt1g2.gif
Copy and Paste the contents of the log, in your reply please.
http://i.imgur.com/U9IqcVj.gif
http://i.imgur.com/zHMG6J9.gif
Or,
http://i.imgur.com/eLcvyZD.gif
Malwarebytes' Anti-Malware
http://www.softpedia.com/get/Antivi...
http://www.malwarebytes.org/free/
Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box to Scan for rootkits.
If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
If your MBAM log indicates "No action taken". That's usually a result of NOT clicking the Apply Actions button after the scan. In most cases, a restart will be required.
http://i.imgur.com/U9IqcVj.gif
http://i.imgur.com/zHMG6J9.gif
Or,
http://i.imgur.com/eLcvyZD.gif

Report •

#7
October 15, 2014 at 15:00:20
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 15-Oct-14
Scan Time: 11:34:44 PM
Logfile:
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.10.15.08
Rootkit Database: v2014.10.15.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Tosh

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 346256
Time Elapsed: 25 min, 0 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)


Report •

#8
October 15, 2014 at 15:14:20
Step 4: Run TFC
http://www.geekstogo.com/forum/file...
http://www.bleepingcomputer.com/dow...
http://oldtimer.geekstogo.com/TFC.exe
http://www.itxassociates.com/OT-Too...
Download it onto your Desktop If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Double-click TFC.exe to run it. Note: If you are running on Vista/Windows 7/8, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Step 5: Please download Farbar Recovery Scan Tool and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://www.bleepingcomputer.com/dow...
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the Desktop.
The first time the tool is run, it makes also another log (Addition.txt).
The logs are large, upload them using this, or upload to a site of your choosing. No account needed. Give us the links please.
http://www.zippyshare.com/
Instructions on how to use ZippyShare.
http://i.imgur.com/naG6t2T.gif
http://i.imgur.com/Vi9ZdIh.gif
http://i.imgur.com/1IZu5kP.gif

message edited by Johnw


Report •

#9
October 15, 2014 at 15:30:22
TFC: 654 MB cleaned... rebooting and then starting part 2

Report •

#10
Report •

#11
October 15, 2014 at 15:41:10
"I am a noob at this"
You are going beautifully.

I will need a couple of hours to go through the Farbar logs.

This is my time zone.
http://www.timeanddate.com/worldclo...

Turn the modem off for 5 mins, then back on & let me know how it is behaving.


Report •

#12
October 15, 2014 at 15:48:14
Perth, Australia... cool... Amsterdam, the Netherlands here and I REALLY need to get some sleep... after I test the modem. :P I haven't seen full Christmas mode since we started, just now and then the lights flicker simultaneously. And I might not exactly know what I am doing, but I can handle decent instructions, which I am getting. :)
Modem test in 3... 2... 1...

Report •

#13
October 15, 2014 at 16:06:43
Restarted... Modem starts up smoothly, but as I reconnected the laptop the lights went all over the place again for a little while and then settled down. As the rest of the computers are turned off those lights should not be blinking... or at least I think they shouldn't. It somehow feels like the laptop is trying to connect to the others, but it can only reach the NAS.

Report •

#14
October 15, 2014 at 16:08:38
Go to bed, shall get back to you later.

Report •

#15
October 15, 2014 at 16:38:09
Whether Utorrent is downloading or seeding it creates internet traffic.
Quit Utorrent app (not close or minimize) and check if the traffic slows down after a few minutes.

Report •

#16
October 15, 2014 at 19:17:33
Copy & Paste the text below ( starting AlternateDataStreams ), save it into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.

AlternateDataStreams: C:\ProgramData\TEMP:C8B8CEBD
SearchScopes: HKLM - {F09ACB33-8CBB-4550-BFA6-8874FF7AA9B6} URL = http://www.bing.com/search?q={searc...
SearchScopes: HKLM-x32 - {F09ACB33-8CBB-4550-BFA6-8874FF7AA9B6} URL = http://www.bing.com/search?q={searc...
SearchScopes: HKCU - {F09ACB33-8CBB-4550-BFA6-8874FF7AA9B6} URL =
HKLM\...\Run: [] => [X]
HKU\S-1-5-21-2918905580-2248004291-3516979490-1002\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-2918905580-2248004291-3516979490-1002\...\MountPoints2: {2426c80b-92f6-11e3-8255-806e6f6e6963} - "E:\autorun.exe"
FF Homepage: https://www.facebook.com/|https://m...
CHR StartupUrls: Default -> "https://mail.google.com/mail/ca/?pli=1#inbox", "hxxp://angrywhitegirlblogs.wordpress.com/"


Report •

#17
October 16, 2014 at 01:17:52
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 15-10-2014 02
Ran by Tosh at 2014-10-16 10:15:04 Run:1
Running from C:\Users\Tosh\Desktop
Loaded Profile: Tosh (Available profiles: Tosh)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
AlternateDataStreams: C:\ProgramData\TEMP:C8B8CEBD
SearchScopes: HKLM - {F09ACB33-8CBB-4550-BFA6-8874FF7AA9B6} URL = http://www.bing.com/search?q={searc...
SearchScopes: HKLM-x32 - {F09ACB33-8CBB-4550-BFA6-8874FF7AA9B6} URL = http://www.bing.com/search?q={searc...
SearchScopes: HKCU - {F09ACB33-8CBB-4550-BFA6-8874FF7AA9B6} URL =
HKLM\...\Run: [] => [X]
HKU\S-1-5-21-2918905580-2248004291-3516979490-1002\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-2918905580-2248004291-3516979490-1002\...\MountPoints2: {2426c80b-92f6-11e3-8255-806e6f6e6963} - "E:\autorun.exe"
FF Homepage: https://www.facebook.com/|https://m...
CHR StartupUrls: Default -> "https://mail.google.com/mail/ca/?pli=1#inbox", "hxxp://angrywhitegirlblogs.wordpress.com/"
*****************

C:\ProgramData\TEMP => ":C8B8CEBD" ADS removed successfully.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{F09ACB33-8CBB-4550-BFA6-8874FF7AA9B6}" => Key deleted successfully.
"HKCR\CLSID\{F09ACB33-8CBB-4550-BFA6-8874FF7AA9B6}" => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{F09ACB33-8CBB-4550-BFA6-8874FF7AA9B6}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{F09ACB33-8CBB-4550-BFA6-8874FF7AA9B6}" => Key not found.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{F09ACB33-8CBB-4550-BFA6-8874FF7AA9B6}" => Key deleted successfully.
"HKCR\CLSID\{F09ACB33-8CBB-4550-BFA6-8874FF7AA9B6}" => Key not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
HKU\S-1-5-21-2918905580-2248004291-3516979490-1002\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => value deleted successfully.
"HKU\S-1-5-21-2918905580-2248004291-3516979490-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2426c80b-92f6-11e3-8255-806e6f6e6963}" => Key deleted successfully.
"HKCR\CLSID\{2426c80b-92f6-11e3-8255-806e6f6e6963}" => Key not found.
Firefox homepage deleted successfully.
Chrome StartupUrls deleted successfully.

==== End of Fixlog ====


Report •

#18
October 16, 2014 at 02:30:49
Just waiting on a phone call from friends to go & pick them up at the airport, after a European holiday.

You appear to be clean, process of elimination now.

Here is a decision, for you to make.
An easy way to disable & test, is to rename them.
1: lirsgt.sys.old
2: atksgt.sys.old

Extracts from the Farbar logs.
System errors:
=============
Error: (10/16/2014 00:33:49 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The lirsgt service failed to start due to the following error:
%%577
Error: (10/16/2014 00:33:36 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The atksgt service failed to start due to the following error:
%%577

CodeIntegrity Errors:
===================================
Date: 2014-10-16 00:33:49.419
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\drivers\lirsgt.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
Date: 2014-10-16 00:33:36.510
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\drivers\atksgt.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

What is lirsgt?
http://www.file.net/process/lirsgt....
Don't use > Security Task Manager, we can do everything for FREE.


Report •

#19
October 16, 2014 at 04:35:16
well this is great news. I have been checking the network in Resource monitor and it seems to have quieted down quite a bit. I still have a few strange programs accessing internet without clear reason. It seems svchost.exe is some kind of steering wheel to connect to a place, while another program tells it where to go, but what I don't understand is why System and dashost.exe need to connect anywhere. If I cancel these processes dashost.exe doesn't do much, but cancel System and the entire laptop freezes. Are these programs OK to keep active?

Report •

#20
October 16, 2014 at 04:37:15
Also sometimes Chrome seems to go crazy, opening about 20 types if itself while I only have 4 tabs open. I am not sure what that is about.

Report •

#21
October 16, 2014 at 05:02:18
Lets check deeper, too many funny things going on.

Run RogueKiller
http://www.softpedia.com/get/Securi...
http://majorgeeks.com/RogueKiller_d...
http://www.geekstogo.com/forum/file...
http://tigzy.geekstogo.com/roguekil...
http://www.sur-la-toile.com/RogueKi...
User Guide
http://www.adlice.com/softwares/rog...
Official tutorial
http://www.adlice.com/softwares/rog...
If RogueKiller won't run, open IE & turn off SmartScreen Filter.
http://windows.microsoft.com/en-AU/...
Download & SAVE to your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Quit all programs that you may have started.
Shutdown your antivirus to avoid any conflicts.
Please disconnect any USB or external drives from the computer before you run this scan!
For Vista or Windows 7/8, right-click and select "Run as Administrator to start"

For Windows XP, double-click to start.
Wait until Prescan has finished ...
Then Click on "Scan" button
Wait until the Status box shows "Scan Finished"
Click on "delete"
Wait until the Status box shows "Deleting Finished"
Click on "Report" and Copy & Paste the content of the Notepad into your next reply.
The log should be found in RKreport[1].txt on your Desktop.
Exit/Close RogueKiller.
When completed make sure to re-enable your antivirus.



Report •

#22
October 16, 2014 at 06:36:45
RogueKiller V10.0.2.0 [Oct 16 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/rog...
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : Tosh [Administrator]
Mode : Delete -- Date : 10/16/2014 15:34:01

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 6 ¤¤¤
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2918905580-2248004291-3516979490-1002\Software\Microsoft\Windows\CurrentVersion\Run | Epic Privacy Browser Update : "C:\Users\Tosh\AppData\Local\Epic Privacy Browser\Update\EpicUpdate.exe" /c [-][x] -> Deleted
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2918905580-2248004291-3516979490-1002\Software\Microsoft\Windows\CurrentVersion\Run | Epic Privacy Browser Update : "C:\Users\Tosh\AppData\Local\Epic Privacy Browser\Update\EpicUpdate.exe" /c -> ERROR [2]
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Replaced (0)
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Replaced (0)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Replaced (0)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Replaced (0)

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 2 ¤¤¤
[FIREFX:Addon] hye7hp0f.default : Adblock Plus [{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}] -> Deleted
[PUM.Proxy][FIREFX:Config] hye7hp0f.default : user_pref("network.proxy.type", 4); -> Replaced (0)

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MQ01ABD075 +++++
--- User ---
[MBR] a84dd93b5b19931ceaddbccc47850486
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097151 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_10162014_153242.log


Report •

#23
October 16, 2014 at 06:55:46
When I do nothing Network drops to 0 after a while, no more random spikes. But when I opened a Word file (the current book I am working on) it spiked 5 svchost.exe 's. Though they bled only bytes per second for about a minute or 2, I do wonder why they would do this. Some kind of monitoring perhaps, Word checking for updates, or is it sending information on what I do somewhere? *slightly paranoid mode due to all this*

Report •

#24
October 16, 2014 at 15:36:26
"it spiked 5 svchost.exe 's"
That's normal, try doing the same on another comp/router/modem.

"or is it sending information on what I do somewhere?"
We will do a check on that later.

Run ESET Online Scanner, Copy and Paste the contents of the log in your reply please. This scan may take a very long while, so please be patient. Maybe start it before going to work or bed.
http://www.eset.com/us/online-scann...
http://www.eset.com/home/products/o...
You may have to download ESET from a good computer, put it on a flash/thumb/pen drive & run it from there, if your comp is unbootable, or won't let you download.
Create a ESET SysRescue CD or USB drive
http://kb.eset.com/esetkb/index?pag...
How do I use my ESET SysRescue CD or USB flash drive to scan and clean my system?
http://kb.eset.com/esetkb/index?pag...
Configure ESET this way & disable your AV.
http://i.imgur.com/3U7YC.gif
How to Temporarily Disable your Anti-virus
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Which web browsers are compatible with ESET Online Scanner?
http://www.nod32.fi/eset-online-sca...
http://kb.eset.com/esetkb/index?pag...
Online Scanner not working
http://kb.eset.com/esetkb/index?pag...
Why Would I Ever Need an Online Virus Scanner? I already have an antivirus program installed, isn't that enough?
http://www.squidoo.com/the-best-fre...
Once onto a machine, malware can disable antivirus programs, prevent antimalware programs from downloading updates, or prevent a user from running antivirus scans or installing new antivirus software or malware removal tools. At this point even though you are aware the computer is infected, removal is very difficult.
5: Why does the ESET Online Scanner run slowly on my computer?
If you have other antivirus, antispyware or anti-malware programs running on your computer, they may intercept the scan being performed by the ESET Online Scanner and hinder performance. You may wish to disable the real-time protection components of your other security software before running the ESET Online Scanner. Remember to turn them back on after you are finished.
17: How can I view the log file from ESET Online Scanner?
http://kb.eset.com/esetkb/index?pag...
http://www.eset.com/home/products/o...
The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. The path to the log file is "C:\Program Files\EsetOnlineScanner\log.txt". You can view this file by navigating to the directory and double-clicking on it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start ? Run dialog box from the Start Menu on the Desktop.
If no threats are found, you will simply see an information window that no threats were found.
http://www.trishtech.com/security/s...


"


Report •

#25
October 17, 2014 at 09:58:26
C:\AdwCleaner\Quarantine\C\Program Files (x86)\NCH Software\Debut\debut.exe.vir a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\NCH Software\Debut\debutsetup_v2.02.exe.vir a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\NCH Software\Doxillion\doxillion.exe.vir a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\NCH Software\Doxillion\doxillionsetup_v2.22.exe.vir a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application deleted - quarantined
C:\Users\Tosh\Downloads\debutpsetup.exe a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application deleted - quarantined

Report •

#26
October 17, 2014 at 14:55:47
✔ Best Answer
You are now clean. Am I being hacked, I doubt it, will deal with that soon.

A lot of programs, now give you the choice to install toolbars & other during the install. Either uncheck these items during install, or use Custom install. No more click, click during an install, you have to read after each click.

I use Softpedia, down the bottom of the page, they make you aware what Ad-supported programs the author of the program has included.
Sample pages
http://www.softpedia.com/get/CD-DVD...
First and foremost, extra attention needs to be paid during installation as ImgBurn offers to create desktop shortcuts to third-party apps, as well as install a browser toolbar onto the host computer, which are not required to ensure the smooth running of the app.
SS of above.
http://i.imgur.com/jgGYNsP.gif
This is what ImgBurn tries to install.
http://i.imgur.com/ms4DzE9.gif
http://i.imgur.com/vVkd39a.gif
http://i.imgur.com/rqFVaHs.gif
http://i.imgur.com/sm1T7h6.gif
http://i.imgur.com/vhkKLYo.gif

I did not run Debut Video Capture Software, down the bottom of the Sofdtpedia page it says this.
Users are advised to pay attention while installing this ad-supported application:
Offers to change the homepage for web browsers installed in the system
Offers to change the default search engine for web browsers installed in the system
Offers to download or install software or components (such as browser toolbars) that the program does not require to fully function
http://www.softpedia.com/get/Multim...

Use Unchecky to help prevent these third party installs. Nothing is perfect, the badies are always ahead of the goodies, so be vigilant.
http://www.softpedia.com/get/System...
http://unchecky.com/
A reliable application that aims to protect your computer against third-party components often offered during software installations.


Report •

#27
October 17, 2014 at 14:57:07
How long have you been using Epic Privacy Browser?
http://www.pcmag.com/article2/0,281...
http://www.pcmag.com/article2/0%2c2...
Cons
Not compatible with password managers. Some websites don't work, or work strangely. Search engine skips some standard search modifiers.
Glitches and Limitations
The fact that Epic doesn't allow add-ons means that most password manager utilities won't work. Some password managers, including RoboForm Everywhere 7 and Editors' Choice LastPass 3.0, support bookmarklets for situations when you can't install a plug-in. A bookmarklet is a tiny Javascript program that's entirely contained in a browser bookmark.

Unfortunately, these bookmarklets rely on cookies and on access to the referrer field, both of which are blocked by Epic. Alok Bhardwaj, the company's CEO and founder, told me that Epic will soon support a small set of plug-ins including popular password managers, and that the designers are working on a solution for the bookmarklet problem.

In testing, I found that some websites simply didn't work with Epic, or worked strangely. For example, when I tried to visit my favorite crossword-puzzle site via Epic's proxy, it suddenly demanded a username and password. A toolbar button opens a menu that lets you disable specific privacy features, but the only way I could regain access to the crossword site was to stop using the proxy.

The search page does draw on major engines, but doesn't support some standard search modifiers. For example, when I added "intitle:review" to a search, it asked if I perhaps intended "entitled:review." Stranger still, when I entered new search terms after certain searches, it did nothing. I had to go back to the main search page to start a new search.

Worth a Try
If you routinely use InPrivate browsing in Internet Explorer, Incognito in Chrome, or Private browsing in Firefox, consider giving Epic Privacy Browser a try. With Epic, privacy isn't an option; it's the default. Yes, there are a few glitches; this is definitely a work in progress. But Epic Privacy Browser will definitely protect your online privacy.

I would uninstall it using IOBit & test.
Use IObit Uninstaller
http://www.softpedia.com/get/Tweak/...
http://www.freewarefiles.com/IObit-...
http://www.freewarefiles.com/screen...
http://www.majorgeeks.com/files/det...
http://www.iobit.com/advanceduninst...
Do a Standard Uninstall & then the Powerful Scan to remove all the lurking bits.
http://i.imgur.com/olyCkcJ.gif
http://i.imgur.com/cKc5Chi.gif
http://i.imgur.com/HuWkaZo.gif


Report •


Ask Question