My pc seems to be sending spam emails but they don't seem to be going to people in my address book. I keep getting undelivered mail messages from my provider. They are all unknown to me.
Copy & Paste the text in Blue below & save it into Notepad on your Desktop & name it fixlist.txt
NOTE:It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.closeprocesses:
emptytemp:
AlternateDataStreams: C:\ProgramData\Temp:4116B5AB
AlternateDataStreams: C:\ProgramData\Temp:56E2E879
AlternateDataStreams: C:\ProgramData\Temp:FB1B13D8
HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-279346440-3864694767-3748385609-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searc...
SearchScopes: HKLM-x32 -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?source...
SearchScopes: HKU\S-1-5-21-279346440-3864694767-3748385609-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
FF Homepage: hxxp://media.telstra.com.au/home.html
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 cpuz134; \??\C:\Users\BRIANH~1\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
S3 motandroidusb; System32\Drivers\motoandroid.sys [X]
S3 motccgpfl; system32\DRIVERS\motccgpfl.sys [X]
S3 motmodem; system32\DRIVERS\motmodem.sys [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 zgwhsdiag; system32\DRIVERS\zgwhsdiag.sys [X]
S3 zgwhsnmea; system32\DRIVERS\zgwhsnmea.sys [X]Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.
Your email account has likely been hacked. Change your password.
Also run this on it: MalwareBytes:
http://filehippo.com/download_malwa...
(green Download button top right - not anything else on the page)
Install and Run the program but before doing its Scan go to "Settings > Detection and Protection" and put a checkmark in "Scan for rootkits". Quarantine anything it finds.If it finds anything please copy/paste the log on here.
Always pop back and let us know the outcome - thanks
I have run malwarebytes but it found nothing
OK can you run this little file too - it is quick to do and looks for quite different things: AdwCleaner:
http://www.bleepingcomputer.com/dow...
(blue Download button near top - not anything else on the page).
Download and "Save" the file somewhere. Go to the saved file then double click it to run the program. Use the "Scan" button, followed by the "Cleaning" button.Again, paste the log if it finds anything please.
Always pop back and let us know the outcome - thanks
Sorry for the delay I have just got up. Ran Adwcleaner log below # AdwCleaner v3.101 - Report created 12/06/2015 at 08:48:14
# Updated 20/04/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Brian Halson - BRIANHALSON-PC
# Running from : C:\Users\Brian Halson\Desktop\Security\AdwCleaner.exe
# Option : Scan***** [ Services ] *****
***** [ Files / Folders ] *****Folder Found : C:\Users\Brian Halson\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbolfgndggfhhpbnkgnpjkfhinclbigj
Folder Found C:\AI_RecycleBin
Folder Found C:\Program Files (x86)\Toolbar Cleaner
Folder Found C:\ProgramData\Package Cache
Folder Found C:\Users\Brian Halson\AppData\LocalLow\adawaretb
Folder Found C:\Users\Brian Halson\AppData\Roaming\SecureSearch
Folder Found C:\Users\BRIANH~1\AppData\Local\Temp\AI_RecycleBin
Folder Found C:\Users\BRIANH~1\AppData\Local\Temp\AI_RecycleBin
Folder Found C:\Users\BRIANH~1\AppData\Local\Temp\AI_RecycleBin
Folder Found C:\Users\BRIANH~1\AppData\Local\Temp\AI_RecycleBin
Folder Found C:\Users\BRIANH~1\AppData\Local\Temp\AI_RecycleBin
Folder Found C:\Windows\SysWOW64\AI_RecycleBin***** [ Shortcuts ] *****
***** [ Registry ] *****Key Found : HKCU\Software\AppDataLow\Software\adawarebp
Key Found : HKCU\Software\AppDataLow\Software\adawaretb
Key Found : HKCU\Software\Classes\pokki
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Key Found : HKLM\Software\adawaretb
Key Found : HKLM\SOFTWARE\Classes\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{64697678-0000-0010-8000-00AA00389B71}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{baad6aa7-889d-4db4-8666-f71544310e82}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F6E8FC04-8B05-48B1-9399-848229502A06}
Key Found : HKLM\SOFTWARE\classes\FMMediaFormats.FormatCodecVideo
Key Found : HKLM\SOFTWARE\classes\FMMediaFormats.FormatCodecVideo.1
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\jbolfgndggfhhpbnkgnpjkfhinclbigj
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Toolbar Cleaner
Key Found : HKLM\Software\Toolbar Cleaner
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{64697678-0000-0010-8000-00AA00389B71}
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{F6E8FC04-8B05-48B1-9399-848229502A06}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{2318C2B1-4965-11D4-9B18-009027A5CD4F}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{6C97A91E-4524-4019-86AF-2AA2D567BF5C}]
Value Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{2318C2B1-4965-11D4-9B18-009027A5CD4F}]
Value Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{6C97A91E-4524-4019-86AF-2AA2D567BF5C}]***** [ Browsers ] *****
-\\ Internet Explorer v11.0.9600.17840
-\\ Mozilla Firefox v38.0.5 (x86 en-US)[ File : C:\Users\Brian Halson\AppData\Roaming\Mozilla\Firefox\Profiles\qaysjhks.default-1423976249486\prefs.js ]
-\\ Google Chrome v43.0.2357.124[ File : C:\Users\Brian Halson\AppData\Local\Google\Chrome\User Data\Default\preferences ]
*************************AdwCleaner[R0].txt - [13300 octets] - [21/04/2014 15:17:07]
AdwCleaner[R1].txt - [4171 octets] - [12/06/2015 08:48:14]
AdwCleaner[S0].txt - [13320 octets] - [21/04/2014 15:21:36]########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [4292 octets] ##########
Yes, it found and fixed a few things. it would therefore be worth running this one too:
Junkware Removal Tool (JRT)
http://www.bleepingcomputer.com/dow...
(blue Download button near top - not anything else on the page).
Download and "Save" the file somewhere. Go to the saved file then double click it to run JRT. It might appear to have stopped at times or flash the screen but sit tight until it has finished.Please copy/paste log as before and let me know if you are still getting the undelivered messages..
Always pop back and let us know the outcome - thanks
Next step topbooka, more steps will be needed after this. Run Junkware Removal Tool
http://www.softpedia.com/get/Securi...
http://www.bleepingcomputer.com/dow...
http://thisisudax.org/
http://thisisudax.blogspot.com.au/2...
Download Junkware Removal Tool onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Warning! Once the scan is complete JRT will shut down your browser with NO warning.
Shut down your protection software now to avoid potential conflicts.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan.
Click this link to see a list of security programs that should be disabled and how to disable them.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Run the tool by double-clicking it. If you are using Windows Vista or Windows 7/8, right-click JRT and select Run as Administrator.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved onto your Desktop and will automatically open.
Copy and Paste the contents of the JRT.txt log please.
Opp's Derek, saw the post was about an hour old, thought you may not be around.
topbooka, did you hit the AdwCleaner Clean button? If so can we have the log please.
message edited by Johnw
No matter, I've gotta go now anyhow (gas men tearing up the main and service pipes early tomorrow). Please carry on - Nite. Always pop back and let us know the outcome - thanks
Scan complete for JRT log below ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.9.1 (06.08.2015:1)
OS: Windows 7 Home Premium x64
Ran by Brian Halson on Fri 12/06/2015 at 10:17:41.61
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services~~~ Tasks
~~~ Registry Values
~~~ Registry Keys
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{3A2D5EBA-F86D-4BD3-A177-019765996711}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3A2D5EBA-F86D-4BD3-A177-019765996711}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3A2D5EBA-F86D-4BD3-A177-019765996711}~~~ Files
Successfully deleted: [File] C:\Windows\reimage.ini
Successfully deleted: [File] C:\Windows\system32\LavasoftTcpService64.dll
Successfully deleted: [File] C:\Windows\system32\LavasoftTcpServiceOff.ini
Successfully deleted: [File] C:\Windows\syswow64\LavasoftTcpService.dll
Successfully deleted: [File] C:\Windows\syswow64\LavasoftTcpService.ini
Successfully deleted: [File] C:\Windows\syswow64\LavasoftTcpServiceOff.ini
Successfully deleted: [File] C:\Users\Brian Halson\appdata\local\google\chrome\user data\default\local storage\hxxp_st.chatango.com_0.localstorage
Successfully deleted: [File] C:\Users\Brian Halson\appdata\local\google\chrome\user data\default\local storage\hxxp_st.chatango.com_0.localstorage-journal~~~ Folders
Successfully deleted: [Empty Folder] C:\Users\Brian Halson\appdata\local\{0FE5A262-4593-4B46-ACBE-CE1BF8680E20}
Successfully deleted: [Empty Folder] C:\Users\Brian Halson\appdata\local\{18E00A1B-759A-4305-85C9-857A22C0D2BC}
Successfully deleted: [Empty Folder] C:\Users\Brian Halson\appdata\local\{246BB934-69E8-4F5D-B450-18E7D2A74316}
Successfully deleted: [Empty Folder] C:\Users\Brian Halson\appdata\local\{2E6FDAC2-7640-44C8-925C-515680FD6CA8}
Successfully deleted: [Empty Folder] C:\Users\Brian Halson\appdata\local\{4ED9330C-9D2B-483E-9DDA-F48783632BFE}
Successfully deleted: [Empty Folder] C:\Users\Brian Halson\appdata\local\{541A7EE6-E726-4DCB-A110-11C066BF285B}
Successfully deleted: [Empty Folder] C:\Users\Brian Halson\appdata\local\{597C6705-4C36-49B4-AB5C-4312A57D23E5}
Successfully deleted: [Empty Folder] C:\Users\Brian Halson\appdata\local\{71C9B01D-C8BD-487E-B877-6F280B549D8B}
Successfully deleted: [Empty Folder] C:\Users\Brian Halson\appdata\local\{90AC93D8-9AC8-4E2D-8CEF-382DAFCF61D0}
Successfully deleted: [Empty Folder] C:\Users\Brian Halson\appdata\local\{B041A4BC-6D8E-480A-A773-66DDB771F040}
Successfully deleted: [Empty Folder] C:\Users\Brian Halson\appdata\local\{C302BB07-D6B1-483E-94DA-17693E20A646}
Successfully deleted: [Empty Folder] C:\Users\Brian Halson\appdata\local\{C832CF3F-9475-4B30-A85F-218E5F97628E}
Successfully deleted: [Empty Folder] C:\Users\Brian Halson\appdata\local\{DD54A7D0-FBE1-416E-9D00-4B427DB3E7EC}
Successfully deleted: [Empty Folder] C:\Users\Brian Halson\appdata\local\{F5998EFF-7693-4AFC-9F62-008770DAA4B3}
Successfully deleted: [Folder] C:\Users\Brian Halson\AppData\Roaming\getprivate
Successfully deleted: [Folder] C:\Users\Brian Halson\AppData\Roaming\getrighttogo
Successfully deleted: [Folder] C:\ProgramData\4899dd140d5f13cc~~~ FireFox
~~~ ChromeSuccessfully deleted: [Folder] C:\Users\Brian Halson\appdata\local\Google\Chrome\User Data\Default\Extensions\jbolfgndggfhhpbnkgnpjkfhinclbigj
[C:\Users\Brian Halson\appdata\local\Google\Chrome\User Data\Default\Preferences] - default search provider reset
[C:\Users\Brian Halson\appdata\local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:
[C:\Users\Brian Halson\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset
[C:\Users\Brian Halson\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[
jbolfgndggfhhpbnkgnpjkfhinclbigj
]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 12/06/2015 at 10:23:24.08
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Sorry for the delay I have just got up"
Me too, I'm here.
http://www.timeanddate.com/worldclo...Just waiting on the log from my post #9
EDIT. Note: AdwCleaner has a Clean button, not Delete.
message edited by Johnw
Morning Johnw
Log is at post #5
"Log is at post #5"
Yep, but that only shows what it found.Need the log showing what it deleted after hitting the Clean button.
message edited by Johnw
Sorry but I can not find this log can only find what is in quarantine
You can find the logfile at C:\AdwCleaner[S1].txt
thank found it # AdwCleaner v3.101 - Report created 12/06/2015 at 09:59:06
# Updated 20/04/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Brian Halson - BRIANHALSON-PC
# Running from : C:\Users\Brian Halson\Desktop\Security\AdwCleaner.exe
# Option : Clean***** [ Services ] *****
***** [ Files / Folders ] *****Folder Deleted : C:\AI_RecycleBin
Folder Deleted : C:\ProgramData\Package Cache
Folder Deleted : C:\Program Files (x86)\Toolbar Cleaner
Folder Deleted : C:\Windows\SysWOW64\AI_RecycleBin
Folder Deleted : C:\Users\BRIANH~1\AppData\Local\Temp\AI_RecycleBin
Folder Deleted : C:\Users\Brian Halson\AppData\LocalLow\adawaretb
Folder Deleted : C:\Users\Brian Halson\AppData\Roaming\SecureSearch
Folder Deleted : C:\Users\Brian Halson\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbolfgndggfhhpbnkgnpjkfhinclbigj***** [ Shortcuts ] *****
***** [ Registry ] *****Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jbolfgndggfhhpbnkgnpjkfhinclbigj
Key Deleted : HKCU\Software\Classes\pokki
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\classes\FMMediaFormats.FormatCodecVideo
Key Deleted : HKLM\SOFTWARE\classes\FMMediaFormats.FormatCodecVideo.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{64697678-0000-0010-8000-00AA00389B71}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{baad6aa7-889d-4db4-8666-f71544310e82}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F6E8FC04-8B05-48B1-9399-848229502A06}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{2318C2B1-4965-11D4-9B18-009027A5CD4F}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{6C97A91E-4524-4019-86AF-2AA2D567BF5C}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{64697678-0000-0010-8000-00AA00389B71}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{F6E8FC04-8B05-48B1-9399-848229502A06}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Value Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{2318C2B1-4965-11D4-9B18-009027A5CD4F}]
Value Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{6C97A91E-4524-4019-86AF-2AA2D567BF5C}]
Key Deleted : HKCU\Software\AppDataLow\Software\adawarebp
Key Deleted : HKCU\Software\AppDataLow\Software\adawaretb
Key Deleted : HKLM\Software\adawaretb
Key Deleted : HKLM\Software\Toolbar Cleaner
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Toolbar Cleaner***** [ Browsers ] *****
-\\ Internet Explorer v11.0.9600.17840
-\\ Mozilla Firefox v38.0.5 (x86 en-US)[ File : C:\Users\Brian Halson\AppData\Roaming\Mozilla\Firefox\Profiles\qaysjhks.default-1423976249486\prefs.js ]
-\\ Google Chrome v43.0.2357.124[ File : C:\Users\Brian Halson\AppData\Local\Google\Chrome\User Data\Default\preferences ]
*************************AdwCleaner[R0].txt - [13300 octets] - [21/04/2014 15:17:07]
AdwCleaner[R1].txt - [4400 octets] - [12/06/2015 08:48:14]
AdwCleaner[S0].txt - [13320 octets] - [21/04/2014 15:21:36]
AdwCleaner[S1].txt - [4123 octets] - [12/06/2015 09:59:06]########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [4183 octets] ##########
Next step. Download ComboFix onto your Desktop & then run. If your default download location is not the Desktop, drag it out of it's location onto the Desktop. Copy & Paste the contents of the log in your next post please. ComboFix's log should be located at C:\COMBOFIX.TXT.
The logs are large, upload them using Zippy ( No account/registration needed ) or upload to a site of your choosing. Give us the links please.
http://www.zippyshare.com/
Instructions on how to use ZippyShare.
http://i.imgur.com/naG6t2T.gif
http://i.imgur.com/Vi9ZdIh.gif
http://i.imgur.com/1IZu5kP.gif
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.forospyware.com/sUBs/Com...
A guide and tutorial on using ComboFix
http://www.bleepingcomputer.com/com...
http://www.winhelp.us/index.php/gen...
Manually restoring the Internet connection
http://www.bleepingcomputer.com/com...
There are circumstances ComboFix will hang, crash or stall at various stages due to malware interference, failure to disable other real-time protection tools or the presence of CD Emulators (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD) so that it does not complete successfully. Also, depending on how badly a system is infected, ComboFix may take longer to complete its routine than it normally does or fail to run properly. While that is not normal behavior, it is not unusual"
If you think it's frozen, look at the computer clock.
If it's running, Combofix is still working.
NOTE: Do not mouseclick combofix's window while it is running. That may cause it to stall.
NOTE: ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
**Please Note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
http://www.experts-exchange.com/Vir...
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Once these two steps have been completed, double-click on the ComboFix icon found on your Desktop.
Please Note: Once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.
combofix scan complete link below
Please download Farbar Recovery Scan Tool and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://www.bleepingcomputer.com/dow...
If we have to run Farbar more than once, refer this SS.
http://i.imgur.com/yUxNw0j.gif
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the Desktop.
The first time the tool is run, it makes also another log (Addition.txt).
The logs are large, upload them using Zippy ( No account/registration needed ) or upload to a site of your choosing. Give us the links please.
http://www.zippyshare.com/
Instructions on how to use ZippyShare.
http://i.imgur.com/naG6t2T.gif
http://i.imgur.com/Vi9ZdIh.gif
http://i.imgur.com/1IZu5kP.gif
frst complete links to logs below http://www36.zippyshare.com/v/cq6Sp...
http://www36.zippyshare.com/v/jJ6Zi...
Give me about 15mins to do the first step in analyzing.
ok thanks I will be standing by
Copy & Paste the text in Blue below & save it into Notepad on your Desktop & name it fixlist.txt
NOTE:It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.closeprocesses:
emptytemp:
AlternateDataStreams: C:\ProgramData\Temp:4116B5AB
AlternateDataStreams: C:\ProgramData\Temp:56E2E879
AlternateDataStreams: C:\ProgramData\Temp:FB1B13D8
HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-279346440-3864694767-3748385609-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searc...
SearchScopes: HKLM-x32 -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?source...
SearchScopes: HKU\S-1-5-21-279346440-3864694767-3748385609-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
FF Homepage: hxxp://media.telstra.com.au/home.html
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 cpuz134; \??\C:\Users\BRIANH~1\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
S3 motandroidusb; System32\Drivers\motoandroid.sys [X]
S3 motccgpfl; system32\DRIVERS\motccgpfl.sys [X]
S3 motmodem; system32\DRIVERS\motmodem.sys [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 zgwhsdiag; system32\DRIVERS\zgwhsdiag.sys [X]
S3 zgwhsnmea; system32\DRIVERS\zgwhsnmea.sys [X]Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.
Do I have to run fix in farbar before I do this
Depending on the outcome of the scans, there may be another explanation. If your email address is in someone else's address book the problem may be on their computer instead of yours. Malware on their computer may be using their address book to spoof messages. You would be notified of any message that was undeliverable since the email server would think you were the sender. That happened to me several years ago and there wasn't anything I could do as I had no idea where they were originating.
"Do I have to run fix in farbar before I do this"
I don't think you have scrolled down to the bottom of my post.
I will be out for a few hours, let me know how your issues are going.
Yes (14) | ![]() | |
No (14) | ![]() | |
I don't know (15) | ![]() |