Can someone help me get rid of a trojan or whatever?

December 30, 2014 at 18:14:57
Specs: Windows Professional 7 SP1 - 64 bit, Intel Core 2 Quad CPU Q9450 @ 2.66GHz 2.67 GHZ/4.00 GB Ram
I seem to have gotten a trojan of some sort. AVG found it, but Malwarebytes did not. Although AVG supposedly keeps cleaning up my system, everytime I run it, it finds something else wrong. Malwarebytes keeps coming up ok, but my computer is not running well at all. Thank you for any help you can give me. I am running Windows 7 Professional. I am also getting unresponsive scripts constantly.

See More: Can someone help me get rid of a trojan or whatever?

Report •


#1
December 30, 2014 at 18:36:13
Run RogueKiller
http://www.softpedia.com/get/Securi...
http://majorgeeks.com/RogueKiller_d...
http://www.geekstogo.com/forum/file...
http://tigzy.geekstogo.com/roguekil...
http://www.sur-la-toile.com/RogueKi...
User Guide
http://www.adlice.com/softwares/rog...
Official tutorial
http://www.adlice.com/softwares/rog...
If RogueKiller won't run, open IE & turn off SmartScreen Filter.
http://windows.microsoft.com/en-AU/...
Download & SAVE to your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Quit all programs that you may have started.
Shutdown your antivirus to avoid any conflicts.
Please disconnect any USB or external drives from the computer before you run this scan!
For Vista or Windows 7/8, right-click and select "Run as Administrator to start"

For Windows XP, double-click to start.
Wait until Prescan has finished ...
Then Click on "Scan" button
Wait until the Status box shows "Scan Finished"
Click on "Delete"
Wait until the Status box shows "Deleting Finished"
Click on "Report" and Copy & Paste the content of the Notepad into your next reply.
The log should be found in RKreport[1].txt on your Desktop.
Exit/Close RogueKiller.
When completed make sure to re-enable your antivirus.

Report •

#2
December 31, 2014 at 14:14:50
RogueKiller V10.1.1.0 [Dec 23 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/rog...
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Owner [Administrator]
Mode : Delete -- Date : 12/31/2014 16:58:29

¤¤¤ Processes : 2 ¤¤¤
[Tr.Poweliks] dllhost.exe -- C:\Windows\syswow64\dllhost.exe[7] -> Killed [TermProc]
[Tr.Poweliks] dllhost.exe -- C:\Windows\syswow64\dllhost.exe[7] -> Killed [TermProc]

¤¤¤ Registry : 31 ¤¤¤
[PUP] (X64) HKEY_LOCAL_MACHINE\RK_Software_ON_E_79E9\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670} -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\RK_Software_ON_E_79E9\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\RK_Software_ON_E_79E9\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233} -> Not selected
[PUP] (X86) HKEY_LOCAL_MACHINE\RK_Software_ON_E_79E9\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670} -> Not selected
[PUP] (X86) HKEY_LOCAL_MACHINE\RK_Software_ON_E_79E9\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> Not selected
[PUP] (X86) HKEY_LOCAL_MACHINE\RK_Software_ON_E_79E9\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233} -> Not selected
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670} -> Not selected
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233} -> Not selected
[Suspicious.Path] (X64) HKEY_USERS\RK_owner_ON_E_F648\Software\Microsoft\Windows\CurrentVersion\Run | AIM for Windows : "C:\Documents and Settings\owner\Local Settings\Application Data\AOL\AIM\aim.exe" [x] -> Deleted
[Suspicious.Path] (X86) HKEY_USERS\RK_owner_ON_E_F648\Software\Microsoft\Windows\CurrentVersion\Run | AIM for Windows : "C:\Documents and Settings\owner\Local Settings\Application Data\AOL\AIM\aim.exe" -> ERROR [2]
[PUP] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_E_A1F8\ControlSet001\Services\vToolbarUpdater14.1.7 -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_E_A1F8\ControlSet002\Services\vToolbarUpdater14.1.7 -> Not selected
[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : https://agencygateway1.allstate.com... -> Not selected
[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : https://agencygateway1.allstate.com... -> Not selected
[PUM.HomePage] (X64) HKEY_USERS\RK_owner_ON_E_F648\Software\Microsoft\Internet Explorer\Main | Start Page : https://agencygateway1.allstate.com... -> Not selected
[PUM.HomePage] (X86) HKEY_USERS\RK_owner_ON_E_F648\Software\Microsoft\Internet Explorer\Main | Start Page : https://agencygateway1.allstate.com... -> Not selected
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2365022637-1679265198-1259283687-1000\Software\Microsoft\Internet Explorer\Main | Start Page : https://agencygateway1.allstate.com... -> Not selected
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2365022637-1679265198-1259283687-1000\Software\Microsoft\Internet Explorer\Main | Start Page : https://agencygateway1.allstate.com... -> Not selected
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : https://agencygateway1.allstate.com... -> Not selected
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : https://agencygateway1.allstate.com... -> Not selected
[PUM.SearchPage] (X64) HKEY_USERS\RK_owner_ON_E_F648\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redi... -> Not selected
[PUM.SearchPage] (X86) HKEY_USERS\RK_owner_ON_E_F648\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redi... -> Not selected
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2365022637-1679265198-1259283687-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Not selected
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2365022637-1679265198-1259283687-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\RK_Software_ON_E_79E9\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\RK_Software_ON_E_79E9\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Not selected
[Tr.Poweliks] (X64) HKEY_USERS\S-1-5-21-2365022637-1679265198-1259283687-1000\Software\classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32 -> Deleted

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 2 ¤¤¤
[PUP][FIREFX:Addon] cwx1i673.default : Yahoo Toolbar [{635abd67-4fe9-1b23-4f01-e679fa7484c1}] -> Not selected
[PUP][FIREFX:Addon] cwx1i673.default : zonealarm.com [ffxtlbr@zonealarm.com] -> Not selected

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: +++++
--- User ---
[MBR] e6b3b5878ee48e4cbd6372e0b960ccc8
[BSP] bff740fa63acbba4ca045911cce79d85 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 715302 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: +++++
--- User ---
[MBR] 88e8ea69c53d8b2ad27c065e9f6f09d4
[BSP] 192f3107d23e9f5b30cac1e289aad682 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 152578 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_12312014_165004.log


Report •

#3
December 31, 2014 at 15:25:37
We are on the right track, there will be more steps needed, after I see the results of these logs.

Run these in this order.

Step 2: Run AdwCleaner
http://www.softpedia.com/get/Antivi...
http://www.raymond.cc/blog/adwclean...
http://www.bleepingcomputer.com/dow...
Author's site
http://general-changelog-team.fr/en...
Tutorial
http://general-changelog-team.fr/en...
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Clean.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please Copy & Paste the contents of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

Step 3: Run Junkware Removal Tool
http://www.softpedia.com/get/Securi...
http://www.bleepingcomputer.com/dow...
http://thisisudax.blogspot.com.au/2...
Download Junkware Removal Tool onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Warning! Once the scan is complete JRT will shut down your browser with NO warning.
Shut down your protection software now to avoid potential conflicts.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan.
Click this link to see a list of security programs that should be disabled and how to disable them.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Run the tool by double-clicking it. If you are using Windows Vista or Windows 7/8, right-click JRT and select Run as Administrator.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved onto your Desktop and will automatically open.
Copy and Paste the contents of the JRT.txt log please.


Report •

Related Solutions

#4
January 1, 2015 at 05:14:07
Happy New Year!

And thanks for all your help. :)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Windows 7 Professional x64
Ran by Owner on Thu 01/01/2015 at 6:29:00.12
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

Successfully deleted: [File] "C:\Windows\wininit.ini"

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\ammyy"

~~~ FireFox

Emptied folder: C:\Users\Owner\AppData\Roaming\mozilla\firefox\profiles\cwx1i673.default\minidumps [15 files]

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 01/01/2015 at 6:48:32.18
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Report •

#5
January 1, 2015 at 05:46:04
"Happy New Year!"
Same to you.

You don't appear to have done Step 2:

Reread my post #3


Report •

#6
January 1, 2015 at 05:50:22
Sorry, I copy and paste both. Try this. (embarrassed) :)

# AdwCleaner v4.106 - Report created 01/01/2015 at 06:11:33
# Updated 21/12/2014 by Xplode
# Database : 2014-12-30.1 [Live]
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : Owner - OWNER-PC
# Running from : C:\Users\Owner\Desktop\adwcleaner_4.106.exe
# Option : Clean

***** [ Services ] *****

Service Deleted : YahooAUService

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\AVG Security Toolbar
Folder Deleted : C:\ProgramData\NCH Software
Folder Deleted : C:\ProgramData\Yahoo! Companion
Folder Deleted : C:\Program Files (x86)\NCH Software
Folder Deleted : C:\Program Files (x86)\Check Point Software Technologies LTD
Folder Deleted : C:\Users\Owner\AppData\Local\Temp\mt_ffx
Folder Deleted : C:\Users\Owner\AppData\LocalLow\Yahoo! Companion
Folder Deleted : C:\Users\Owner\AppData\Roaming\NCH Software
Folder Deleted : C:\Users\Owner\AppData\Roaming\Check Point Software Technologies LTD
Folder Deleted : C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\cwx1i673.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
Folder Deleted : C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\cwx1i673.default\Extensions\ffxtlbr@zonealarm.com
File Deleted : C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\cwx1i673.default\searchplugins\zonealarm.xml
File Deleted : C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\cwx1i673.default\user.js
File Deleted : C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\wtu-secure-search.xml

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool.1
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{06DEB529-DE09-43EC-B6E2-451AAB0FF000}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{19D2F415-D58B-46BC-9390-C03DCBC21EB2}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{744E0E81-BC79-4719-A58B-C98F7E78EE5D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{987D9269-F8A1-408F-BF62-4397D2F5363E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9F0F16DD-4E76-4049-A9B1-7A91E48F0323}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E0722BEB-FDA1-4AA1-A2A8-15A74A5B3F70}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F4288797-CB12-49CE-9DF8-7CDFA1143BEA}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{744E0E81-BC79-4719-A58B-C98F7E78EE5D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{06DEB529-DE09-43EC-B6E2-451AAB0FF000}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{212C2C4F-C845-4FBC-9561-C833A13D8DCE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3C5D1D57-16C8-473C-A552-37B8D88596FE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4A115D8A-6A7B-4C72-92B1-2E2D01F36979}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{99DF8440-814E-497F-BDDD-FB93E9E9DF96}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E00DE9B9-B128-4C39-B732-B5D85013FA48}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{83CAD530-387D-40FD-82EA-B9E863D92A9B}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{744E0E81-BC79-4719-A58B-C98F7E78EE5D}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Companion

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17496


-\\ Mozilla Firefox v34.0.5 (x86 en-US)

[cwx1i673.default\prefs.js] - Line Deleted : user_pref("browser.search.selectedEngine", "AVG Secure Search");
[cwx1i673.default\prefs.js] - Line Deleted : user_pref("extensions.zonealarm.tlbrSrchUrl", "hxxp://search.zonealarm.com/search?src=tb&tbid=HFA5&Lan={dfltLng}&gu=8bbab2886f8746e096dcd71fb9378d1a&tu=10G9y00Ha2D33N0&sku=&tstsId=&ver=&&q=");

*************************

AdwCleaner[R0].txt - [6146 octets] - [01/01/2015 06:09:39]
AdwCleaner[S0].txt - [6033 octets] - [01/01/2015 06:11:33]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [6093 octets] ##########

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Windows 7 Professional x64
Ran by Owner on Thu 01/01/2015 at 6:29:00.12
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

Successfully deleted: [File] "C:\Windows\wininit.ini"

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\ammyy"

~~~ FireFox

Emptied folder: C:\Users\Owner\AppData\Roaming\mozilla\firefox\profiles\cwx1i673.default\minidumps [15 files]

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 01/01/2015 at 6:48:32.18
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Report •

#7
January 1, 2015 at 05:52:15
I MEANT to say I FORGOT to copy and paste both. smh Not only can I not TALK straight this morning, I can't even TYPE straight!!!

Hmm. Let alone READ straight (as I see I could have EDITED the previous message. Oh well. I hope you have a LOT of patience.

message edited by davishermanusa


Report •

#8
January 1, 2015 at 05:57:43
" I hope you have a LOT of patience"
Yep, I'm a very patient person.

Step 4: Please download Powelikscleaner (by ESET) and save it to your Desktop.
http://www.bleepingcomputer.com/vir...
http://download.eset.com/special/ES...
Double-click the 3.png to start the tool.
Read the terms of the End-user license agreement and click Agree if you agree to them.
The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.
If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed. Press any key to exit the tool and reboot your PC.
The tool will produce a log in the same directory the tool was run from.
Please copy and paste the log in your next reply.

message edited by Johnw


Report •

#9
January 1, 2015 at 06:14:08
I'm going away for a few days tomorrow. I'm here.
http://www.timeanddate.com/worldclo...

How much longer can you stay with me on this session?
I'm preparared to get most of the work done in this session.


Report •

#10
January 1, 2015 at 06:16:28
Is there any way to figure out how much to send each time? I keep getting a message that the post is too large.

Report •

#11
January 1, 2015 at 06:23:55
Upload it using this, or upload to a site of your choosing. No account needed. Give us the link please.
http://www.zippyshare.com/
Instructions on how to use ZippyShare.
http://i.imgur.com/naG6t2T.gif
http://i.imgur.com/Vi9ZdIh.gif
http://i.imgur.com/1IZu5kP.gif

message edited by Johnw


Report •

#12
January 1, 2015 at 06:28:55

Report •

#13
January 1, 2015 at 06:32:05
Reply to my post #9 please.

Step 5: Update & Run Malwarebytes' Anti-Malware ( MBAM ) Free Version. Use Quick scan ( now called Threat Scan )
Malwarebytes' Anti-Malware
http://www.softpedia.com/get/Antivi...
http://www.malwarebytes.org/free/
Make sure you uncheck > Enable free trial < at the END of the install.
http://i.imgur.com/tUFCbYz.gif
Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box to Scan for rootkits.
http://i.imgur.com/dZgt1g2.gif
Copy and Paste the contents of the log, in your reply please.

If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
If your MBAM log indicates "No action taken". That's usually a result of NOT clicking the Apply Actions button after the scan. In most cases, a restart will be required.
If you misplace your log, here are ways to find.
http://i.imgur.com/U9IqcVj.gif
http://i.imgur.com/zHMG6J9.gif
http://i.imgur.com/ZZ1trsv.gif
http://i.imgur.com/LL0K3qs.gif
Or,
(Export log to save as txt)
After the restart once you are back at your desktop, open MBAM once more.
Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click 'Export'.
Click 'Text file (*.txt)'
In the Save File dialog box which appears, click on Desktop.
In the File name: box type a name for your scan log.
A message box named 'File Saved' should appear stating "Your file has been successfully exported".
Click Ok
http://i.imgur.com/LNl3Sgw.gif
http://i.imgur.com/xGJgawB.gif


Report •

#14
January 1, 2015 at 07:22:48
I apologize for not seeing post 9. I can be here as long as you want. If you need to leave for a few days, let me know when you will return. I do not want to inconvenience you. You have been a great help and I appreciate it.

I am running Malwarebytes scan now.

I see it is very late where you are. Please let me know when you need to stop for awhile. Have a lovely vacation whenever you leave.

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 1/1/2015
Scan Time: 10:25:54 AM
Logfile:
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.01.01.02
Rootkit Database: v2014.12.30.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Owner

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 333528
Time Elapsed: 18 min, 58 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

message edited by davishermanusa


Report •

#15
January 1, 2015 at 12:14:19
"I apologize for not seeing post 9"
I didn't know if you were still with me, went to bed.
Back to bed for me now.

Step 6: Please download Farbar Recovery Scan Tool and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://www.bleepingcomputer.com/dow...
If we have to run Farbar more than once, refer this SS.
http://i.imgur.com/yUxNw0j.gif
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the Desktop.
The first time the tool is run, it makes also another log (Addition.txt).
The logs are large, upload them using this, or upload to a site of your choosing. No account needed. Give us the links please.
http://www.zippyshare.com/
Instructions on how to use ZippyShare.
http://i.imgur.com/naG6t2T.gif
http://i.imgur.com/Vi9ZdIh.gif
http://i.imgur.com/1IZu5kP.gif


Report •

#16
January 1, 2015 at 15:07:08
Ooops! Thought you were gone. I quit looking. We are playing "puter" tag. Let me know when you are leaving and approximately when you plan to return (your time). if possible. I will check the current time where you are. Thank you. Have a great time. :)

http://www39.zippyshare.com/v/29082...
http://www39.zippyshare.com/v/10868...


Report •

#17
January 1, 2015 at 15:40:37
Leave in about 2 hours, back home Sunday about 4pm.

Step 7: Copy & Paste the text below ( starting closeprocesses: ), save it into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

closeprocesses:
emptytemp:
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
ShortcutTarget: TeamViewer.exe - Shortcut.lnk -> C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe (No File)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => No File
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKU\S-1-5-21-2365022637-1679265198-1259283687-1000 -> No Name - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\new_plugin\npjp2.dll No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
S2 BroadCamService; "C:\Program Files (x86)\NCH Software\BroadCam\broadcam.exe" -service [X]
S3 NPF; system32\drivers\NPF.sys [X]
C:\Users\Owner\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Owner\AppData\Local\Temp\Quarantine.exe
C:\Users\Owner\AppData\Local\Temp\sqlite3.dll

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.


Report •

#18
January 2, 2015 at 07:06:35
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 01-01-2015
Ran by Owner at 2015-01-01 20:57:08 Run:1
Running from C:\Users\Owner\Desktop
Loaded Profile: Owner (Available profiles: Owner)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
closeprocesses:
emptytemp:
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
ShortcutTarget: TeamViewer.exe - Shortcut.lnk -> C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe (No File)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => No File
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKU\S-1-5-21-2365022637-1679265198-1259283687-1000 -> No Name - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\new_plugin\npjp2.dll No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
S2 BroadCamService; "C:\Program Files (x86)\NCH Software\BroadCam\broadcam.exe" -service [X]
S3 NPF; system32\drivers\NPF.sys [X]
C:\Users\Owner\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Owner\AppData\Local\Temp\Quarantine.exe
C:\Users\Owner\AppData\Local\Temp\sqlite3.dll
*****************

Processes closed successfully.
C:\ProgramData\TEMP => ":5C321E34" ADS removed successfully.
"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon" => Key deleted successfully.
C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast" => Key deleted successfully.
HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => Key not found.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-21-2365022637-1679265198-1259283687-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{B24BA06E-FB7B-4757-95C2-DC01125F750E} => value deleted successfully.
HKCR\CLSID\{B24BA06E-FB7B-4757-95C2-DC01125F750E} => Key not found.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/JavaPlugin" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
BroadCamService => Service deleted successfully.
NPF => Service deleted successfully.
C:\Users\Owner\AppData\Local\Temp\dllnt_dump.dll => Moved successfully.
C:\Users\Owner\AppData\Local\Temp\Quarantine.exe => Moved successfully.
C:\Users\Owner\AppData\Local\Temp\sqlite3.dll => Moved successfully.
EmptyTemp: => Removed 17.3 GB temporary data.


The system needed a reboot.

==== End of Fixlog 08:57:14 ====


Report •

#19
January 4, 2015 at 00:58:40
What issues do you have now?

Report •

#20
January 4, 2015 at 03:22:15
Welcome back. I hope your trip went well.

I sell insurance from my home.

The program only uses Internet Explorer. When I tried to log on after these fixes, I encountered an error with the following details:

"Method: GET

URL: /wps/myportal/Home

Error Code: 0x38cf0963

Error Text: Error Description: Your browser supplied NTLM authentication data.NTLM is not supported by WebSEAL. Ensure that your browser is configured to use Integrated Windows Authentication.URL: /wps/myportal/Home"

I assume that I will either need to call their tech support to possibly reload/reinstall certain things to get that resolved. Am I correct in my assumption?

Other than that, I find the computer is running much faster and more smoothly.

Thank you so much for all your help.


Report •

#21
January 4, 2015 at 04:02:16
Trip went well thanks, 1000km's of driving to a wedding.

Step 8: Run DelFix
https://toolslib.net/downloads/view...
DelFix is designed to delete all removal tools used during a disinfection.
Indeed, these tools are often updated. It's recommended not to have and use outdated versions on computer.
It's compatible with Windows XP, Vista, 7, 8 in 32 & 64 bits.
Run the tool by right click on the DelFix icon and Run as administrator option.
Make sure that these are checked:
Remove disinfection tools
Purge system restore
Reset system settings
Click Run and wait until the tool completes it's work.
All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt)

//////////////////////////////////////

As you can see from your logs, you had a lot of stuff installed, that you do not know, how it got installed.
A lot of programs, now give you the choice to install toolbars & other during the install. Either uncheck these items during install, or use Custom install. No more click, click during an install, you have to read after each click.

I use Softpedia & FreewareFiles.com, down the bottom of the page, they make you aware what Ad-supported programs the author of the program has included.
http://www.freewarefiles.com/new_fi...
Sample pages
http://www.softpedia.com/get/CD-DVD...
First and foremost, extra attention needs to be paid during installation as ImgBurn offers to create desktop shortcuts to third-party apps, as well as install a browser toolbar onto the host computer, which are not required to ensure the smooth running of the app.
SS of above.
http://i.imgur.com/jgGYNsP.gif
This is what ImgBurn tries to install.
http://i.imgur.com/ms4DzE9.gif
http://i.imgur.com/vVkd39a.gif
http://i.imgur.com/rqFVaHs.gif
http://i.imgur.com/sm1T7h6.gif
http://i.imgur.com/vhkKLYo.gif

Use Unchecky to help prevent these third party installs. Nothing is perfect, the badies are always ahead of the goodies, so be vigilant.
http://www.softpedia.com/get/System...
http://unchecky.com/
A reliable application that aims to protect your computer against third-party components often offered during software installations.

///////////////////////////////////////////////

I Google everything. This is a start & one of these links, probably will sort it out for you.

integrated windows authentication internet explorer
http://is.gd/NNnAKO
http://is.gd/rSaTvB
https://docs.secureauth.com/display...

message edited by Johnw


Report •

#22
January 4, 2015 at 10:05:12
Thanks, John for all your help. I really appreciate it.

Report •

#23
April 7, 2015 at 02:46:25
Hi, first I try malware protector. After I run this I got system memory and system register, and I got some ike this here:

hkey_local_machine\software\classes\appid\escorteng.dll
hkey_local_machine\software\classes\appid\escorteng.dll\appid

Since I dont pay for the malware pr. I go to search at my pc and wrote: regedit, and come to register (redigering in norwegian) maybe editing is correct, and found first hkey-local-machine, etc, etc and was so going down until I found them and deleted them


Report •

#24
April 7, 2015 at 19:26:09
Better to reinstall your OS if possible, since most free antivirus do not work.

Report •

Ask Question