Solved how to remove sysenter virus

September 22, 2013 at 09:03:32
Specs: Windows 7, Intel Pent., cpu g630, 4.00 GB, 64 bit
My AVG Free has found 4 Sysenter virus but there is no option to remove them without upgrading to the paid AVG.

I ran TDSSKiller and it did not find any.

I found a free download called SysProAntiRootkit that says it can remove them. Have any of you heard of or used this one?

See More: how to remove sysenter virus

September 22, 2013 at 09:17:12
I would be careful downloading a tool that you are unfamiliar with. According to some sources the sysenter hook detection may be a false positive. I would advise ensuring that your avg is up to date(as they may make a correction). My suggestion is check for an update and then rescan.

If you are really concerned try running a gmer scan and post a log.


message edited by mikelinus

Report •

September 22, 2013 at 16:24:46
"I found a free download called SysProAntiRootkit"
Lets stick to safe tools.

1: Download & run Unhide
To run Unhide, simply download it to your desktop and then double-click on the Unhide icon. The program will open a black box and start making the files on your fixed disks visible again. Please note, that this program will not unhide removable drives like flash cards and usb drives as the FakeHDD rogues do not target these types of drives. Once it has finished, the program will display a Windows alert stating that your files have been restored. You should then reboot your computer for all of the settings to go into effect.
Copy & Paste the contents of the log. Let me know if it doesn't produce a log please.

2: Reboot

3: Run ESET Online Scanner, Copy and Paste the contents of the log please. This scan may take a very long while, so please be patient. Maybe start it before going to work or bed.
You may have to download ESET from a good computer, put it on a flash/thumb/pen drive & run it from there, if your comp is unbootable, or won't let you download.
Create a ESET SysRescue CD or USB drive
How do I use my ESET SysRescue CD or USB flash drive to scan and clean my system?
Configure ESET this way & disable your AV.
How to Temporarily Disable your Anti-virus
Which web browsers are compatible with ESET Online Scanner?
Online Scanner not working
Why Would I Ever Need an Online Virus Scanner?
I already have an antivirus program installed, isn't that enough?
Once onto a machine, malware can disable antivirus programs, prevent antimalware programs from downloading updates, or prevent a user from running antivirus scans or installing new antivirus software or malware removal tools. At this point even though you are aware the computer is infected, removal is very difficult.
5: Why does the ESET Online Scanner run slowly on my computer?
If you have other antivirus, antispyware or anti-malware programs running on your computer, they may intercept the scan being performed by the ESET Online Scanner and hinder performance. You may wish to disable the real-time protection components of your other security software before running the ESET Online Scanner. Remember to turn them back on after you are finished.
17: How can I view the log file from ESET Online Scanner?
The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. The path to the log file is "C:\Program Files\EsetOnlineScanner\log.txt". You can view this file by navigating to the directory and double-clicking on it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start ? Run dialog box from the Start Menu on the desktop.
If no threats are found, you will simply see an information window that no threats were found.

Report •

September 23, 2013 at 17:32:57
✔ Best Answer

Re #3
Delete all the associated files and registry entries
Be aware that if you are not familiar with the registry you could do more harm than good.
In my opinion you should continue with mikelinus and Johnw who have already started going through a process to properly clean you computer (see #2).

EDIT: Post I was referring to has now been removed.

Always pop back and let us know the outcome - thanks

message edited by Derek

Report •

Related Solutions

September 25, 2013 at 14:41:30
Mile: here is the GMER log

GMER 2.1.19163 -
Rootkit scan 2013-09-25 17:38:30
Windows 5.1.2600 Service Pack 3 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST500DM0 rev.HP73 465.76GB
Running: xj7n3fx6[1].exe; Driver: C:\Users\Warren\AppData\Local\Temp\uxdcypob.sys

---- User code sections - GMER 2.1 ----

.text C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe[1680] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d11465 2 bytes [D1, 74]
.text C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe[1680] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d114bb 2 bytes [D1, 74]
.text ... * 2
.text C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe[1260] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d11465 2 bytes [D1, 74]
.text C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe[1260] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d114bb 2 bytes [D1, 74]
.text ... * 2
.text C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe[3428] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000074ee8769 5 bytes [33, C0, C2, 04, 00]
.text C:\Program Files (x86)\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe[6084] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d11465 2 bytes [D1, 74]
.text C:\Program Files (x86)\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe[6084] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d114bb 2 bytes [D1, 74]
.text ... * 2
.text C:\PROGRAM FILES (X86)\AOL DESKTOP 9.7A\AOLBrowser\aolbrowser.exe[2608] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d11465 2 bytes [D1, 74]
.text C:\PROGRAM FILES (X86)\AOL DESKTOP 9.7A\AOLBrowser\aolbrowser.exe[2608] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d114bb 2 bytes [D1, 74]
.text ... * 2

---- Threads - GMER 2.1 ----

Thread C:\windows\System32\svchost.exe [1028:1368] 000007fef9f959a0
Thread C:\windows\System32\svchost.exe [1028:1464] 000007fefc121a70
Thread C:\windows\System32\svchost.exe [1028:4460] 000007fef2be20c0
Thread C:\windows\System32\svchost.exe [1028:4468] 000007fef2be26a8
Thread C:\windows\System32\svchost.exe [1028:4500] 000007fef2be29dc
Thread C:\windows\System32\svchost.exe [1028:4512] 000007fef2b714a0
Thread C:\windows\System32\svchost.exe [1028:4888] 000007fef1c5a2b0
Thread C:\windows\System32\svchost.exe [1028:5096] 000007fef84d44e0
Thread C:\windows\System32\svchost.exe [1028:5264] 000007fef86b88f8
Thread C:\windows\System32\svchost.exe [1028:5604] 000007fef11e3efc
Thread C:\windows\System32\svchost.exe [1028:668] 000007fef1228a4c
Thread C:\windows\System32\svchost.exe [1028:3844] 000007fef8552c20
Thread C:\windows\system32\taskhost.exe [2564:2832] 000007fef8c21f38
Thread C:\windows\system32\taskhost.exe [2564:1220] 000007fef87a1010
Thread c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2916:5532] 000007fef45e4094
Thread c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2916:5540] 000007fef2647c4c
Thread c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2916:5544] 000007fef45e4094
Thread c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2916:5548] 000007fef24ec0d0
Thread c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2916:5552] 000007fef45e4094
Thread c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2988:4676] 000007fef45e4094
Thread c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2988:4704] 000007fef45e4094
Thread c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2988:4708] 000007fef24ec0d0
Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4984:4428] 000007fefab42a7c
Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4984:4432] 000007feefe7d618

---- Disk sectors - GMER 2.1 ----

Disk \Device\Harddisk0\DR0 unknown MBR code

---- EOF - GMER 2.1 ----

Report •

September 25, 2013 at 15:05:30
I shall let mikelinus analyze GMER.

Will wait for the ESET result myself.

Report •

September 25, 2013 at 21:40:03
I ran ESET and this is all that it found:

C:\Users\Warren\AppData\Roaming\Mozilla\Firefox\Profiles\61bh9gqb.default\extensions\\content\overlay.js JS/Adware.Yontoo.C application cleaned by deleting - quarantined

Report •

September 25, 2013 at 21:52:58
Run AdwCleaner
Please download AdwCleaner by Xplode onto your desktop.
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Delete.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please Copy & Paste the contents of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

Run Junkware Removal Tool
Download Junkware Removal Tool to your desktop.
Warning! Once the scan is complete JRT will shut down your browser with NO warning.
Shut down your protection software now to avoid potential conflicts.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
Run the tool by double-clicking it. If you are using Windows Vista or Windows 7/8, right-click JRT and select Run as Administrator
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Copy and Paste the contents of the JRT.txt log please.

Report •

September 25, 2013 at 21:54:32
Just realized I didn't get the Unhide log.
Did you run it?

message edited by Johnw

Report •

September 26, 2013 at 06:21:25
sorry John, hereis the log:

Unhide by Lawrence Abrams (Grinler)
Copyright 2008-2013
More Information about Unhide.exe can be found at this link:

Program started at: 09/26/2013 08:56:31 AM
Windows Version: Windows XP

Please be patient while your files are made visible again.

Processing the C:\ drive
Finished processing the C:\ drive. 274268 files processed.

Processing the D:\ drive
Finished processing the D:\ drive. 242 files processed.

Processing the F:\ drive
Finished processing the F:\ drive. 0 files processed.

Processing the G:\ drive
Finished processing the G:\ drive. 0 files processed.

Processing the H:\ drive
Finished processing the H:\ drive. 0 files processed.

Processing the I:\ drive
Finished processing the I:\ drive. 0 files processed.

Processing the J:\ drive
Finished processing the J:\ drive. 2 files processed.

The C:\Users\Warren\AppData\Local\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts:

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
* NoActiveDesktopChanges policy was found and deleted!
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

Program finished at: 09/26/2013 09:05:57 AM
Execution time: 0 hours(s), 9 minute(s), and 25 seconds(s)

I ran AVG again this a.m. and the 4 Sysenter files are still there. this is one of them:
Sysenter hook OXFFFFF80004A838CO

Report •

September 26, 2013 at 06:36:30
John, I would just like to mention the only thing i have downloaded lately was an update to Adobe Flash Player. These did not show up on last week's running of the AVG. Can I assume they came in the update download of Adobe?

Report •

September 26, 2013 at 06:42:57
gmer looks like it found nothing. sorry that wasn't a help.


Report •

September 26, 2013 at 12:02:49
here is the AdWare log:

# AdwCleaner v3.005 - Report created 26/09/2013 at 14:56:16
# Updated 22/09/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Warren - WARREN-HP
# Running from : C:\Users\Warren\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\32GNMUE0\adwcleaner[1].exe
# Option : Clean

***** [ Services ] *****

Service Deleted : vToolbarUpdater14.2.0

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Viewpoint
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Program Files (x86)\Viewpoint
Folder Deleted : C:\Program Files (x86)\Common Files\AVG Secure Search
Folder Deleted : C:\Program Files (x86)\Common Files\Software Update Utility
Folder Deleted : C:\Users\Warren\AppData\Local\AVG Secure Search
Folder Deleted : C:\Users\Warren\AppData\Local\Conduit
Folder Deleted : C:\Users\Warren\AppData\Local\cre
Folder Deleted : C:\Users\Warren\AppData\Local\DefineExt
Folder Deleted : C:\Users\Warren\AppData\Local\getsavin
Folder Deleted : C:\Users\Warren\AppData\Local\iac
Folder Deleted : C:\Users\Warren\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Warren\AppData\LocalLow\PriceGong
Folder Deleted : C:\Users\Warren\AppData\Roaming\iWin
Folder Deleted : C:\Users\Warren\AppData\Roaming\Mozilla\Firefox\Profiles\61bh9gqb.default\Extensions\{F0E59437-6148-4A98-B0A6-60D557EF57F4}
Folder Deleted : C:\Users\Warren\AppData\Roaming\Mozilla\Firefox\Profiles\61bh9gqb.default\Extensions\
Folder Deleted : C:\Users\Warren\AppData\Roaming\Mozilla\Firefox\Profiles\61bh9gqb.default\Extensions\tidynetwork@tidynetwork
Folder Deleted : C:\Users\Warren\AppData\Local\Google\Chrome\User Data\Default\Extensions\gjkpcnacdgdlpfejlgflolpaigoicibh
File Deleted : C:\Users\Warren\AppData\Roaming\Mozilla\Firefox\Profiles\q6ssat56.default-1362344828177\searchplugins\Conduit.xml
File Deleted : C:\Users\Warren\AppData\Roaming\Mozilla\Firefox\Profiles\61bh9gqb.default\user.js
File Deleted : C:\Users\Warren\AppData\Roaming\Mozilla\Firefox\Profiles\q6ssat56.default-1362344828177\user.js
File Deleted : C:\Users\Warren\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_search.conduit.com_0.localstorage
File Deleted : C:\Users\Warren\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_search.conduit.com_0.localstorage-journal

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKCU\Toolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\dnu.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdate
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1
Key Deleted : HKLM\SOFTWARE\Classes\protocols\handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\UpdateTask_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\UpdateTask_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\wajam_install_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\wajam_install_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WajamUpdater_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WajamUpdater_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASMANCS
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\ SiteSafety plugin,version=,application/x-avg-sitesafety-plugin
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3289847
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B27D9527-3762-4D71-963D-FB7A94FDD678}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A0B10EBE-4E51-4CAE-949B-E6B9E7D68CEA}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F511AFDB-726E-4458-90E7-1ECB97406544}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{04D2B915-19FF-41E9-994D-95DC898BEA43}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8F0B76E1-4E46-427B-B55B-B90593468AC6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{A5B9C0F5-5616-47CD-A95F-E43B488FACCF}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{443789B7-F39C-4B5C-9287-DA72D38F4FE6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A5B9C0F5-5616-47CD-A95F-E43B488FACCF}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\Cr_Installer
Key Deleted : HKCU\Software\PriceGong
Key Deleted : HKCU\Software\SmartBar
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\MetaStream
Key Deleted : HKLM\Software\PIP
Key Deleted : HKLM\Software\Viewpoint
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Deleted : [x64] HKLM\SOFTWARE\Tarma Installer

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16506

-\\ Mozilla Firefox v23.0.1 (en-US)

[ File : C:\Users\Warren\AppData\Roaming\Mozilla\Firefox\Profiles\q6ssat56.default-1362344828177\prefs.js ]

Line Deleted : user_pref("CT3289847_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\":1375753776412,\"isWithState\":\"\",\"timeFromStart\":0,\"timeFromPrev\":0}]");
Line Deleted : user_pref("Smartbar.ConduitHomepagesList", "");
Line Deleted : user_pref("Smartbar.ConduitSearchEngineList", "");
Line Deleted : user_pref("Smartbar.ConduitSearchUrlList", "");
Line Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "");
Line Deleted : user_pref("Smartbar.keywordURLSelectedCTID", "CT3289847");
Line Deleted : user_pref("", "WhiteSmoke New Customized Web Search");
Line Deleted : user_pref("", "hxxp://{searchTerms}&sspv=SSPV_AB_FF_1");
Line Deleted : user_pref("extentions.webcake.defaultEnableAppsList", "layers/banner,layers/inline,layers/search,layers/shopping,newOffers/wc");
Line Deleted : user_pref("extentions.webcake.installId", "bf016bb6-f226-4017-96cc-f4f8c0cf62a6");
Line Deleted : user_pref("plugin.blocklisted.npviewpoint", true);
Line Deleted : user_pref("smartbar.machineId", "VTULSYIUA9CFXM9ZKEGK79VHXOU");

-\\ Google Chrome v29.0.1547.76

[ File : C:\Users\Warren\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted : urls_to_restore_on_startup


AdwCleaner[R0].txt - [343 octets] - [26/09/2013 14:51:36]
AdwCleaner[R1].txt - [13114 octets] - [26/09/2013 14:54:56]
AdwCleaner[S0].txt - [12770 octets] - [26/09/2013 14:56:16]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [12831 octets] ##########

Report •

September 26, 2013 at 15:04:45
Still waiting on you to run > Junkware Removal Tool

Report •

September 26, 2013 at 17:31:47
here is the junkware log:

Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.2 (09.22.2013:1)
OS: Windows 7 Home Premium x64
Ran by Warren on Thu 09/26/2013 at 20:25:00.32

~~~ Services

Successfully stopped: [Service] hshld
Successfully deleted: [Service] hshld
Successfully stopped: [Service] hsstrayservice
Successfully deleted: [Service] hsstrayservice
Successfully stopped: [Service] hsswd
Successfully deleted: [Service] hsswd

~~~ Registry Values

Successfully deleted: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\ConduitFloatingPlugin_klibnahbojhkanfgaglnlalfkgpcppfi

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{72D89EBF-0C5D-4190-91FD-398E45F1D007}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\anchorfree
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\aol toolbar
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\conduit
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\stronghold online backup
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\conduit
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\conduitsearchscopes
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\pricegong
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\smartbar
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\aol toolbar
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\conduit
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\firstsearch
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\axmetastream.metastreamctl
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\axmetastream.metastreamctl.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\axmetastream.metastreamctlsecondary
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\axmetastream.metastreamctlsecondary.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\conduitinstaller_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\conduitinstaller_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\viewpointmediaplayer
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{22222222-2222-2222-2222-220222182204}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{55555555-5555-5555-5555-550255185504}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{66666666-6666-6666-6666-660266186604}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{44444444-4444-4444-4444-440244184404}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{22222222-2222-2222-2222-220222182204}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Wow6432Node\Interface\{55555555-5555-5555-5555-550255185504}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Wow6432Node\Interface\{66666666-6666-6666-6666-660266186604}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Wow6432Node\TypeLib\{44444444-4444-4444-4444-440244184404}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT3289847
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Interface\{55555555-5555-5555-5555-550255185504}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Interface\{66666666-6666-6666-6666-660266186604}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{44444444-4444-4444-4444-440244184404}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\HPSF_Tasks_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\HPSF_Tasks_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\mconduitinstaller_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\mconduitinstaller_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\pricepeep_1_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\pricepeep_1_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Interface\{55555555-5555-5555-5555-550255185504}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660266186604}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\TypeLib\{44444444-4444-4444-4444-440244184404}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\HPSF_Tasks_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\HPSF_Tasks_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\mconduitinstaller_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\mconduitinstaller_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\pricepeep_1_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\pricepeep_1_RASMANCS

~~~ Files

Successfully deleted: [File] "C:\end"

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\aol toolbar"
Successfully deleted: [Folder] "C:\ProgramData\big fish games"
Successfully deleted: [Folder] "C:\ProgramData\conduit"
Successfully deleted: [Folder] "C:\ProgramData\hotspot shield"
Successfully deleted: [Folder] "C:\ProgramData\strongvault online backup"
Successfully deleted: [Folder] "C:\ProgramData\viewpoint"
Successfully deleted: [Folder] "C:\ProgramData\w3i"
Successfully deleted: [Folder] "C:\Users\Warren\AppData\Roaming\hotspot shield"
Successfully deleted: [Folder] "C:\Users\Warren\appdata\local\aol toolbar"
Successfully deleted: [Folder] "C:\Users\Warren\appdata\local\conduit"
Successfully deleted: [Folder] "C:\Users\Warren\appdata\local\cre"
Successfully deleted: [Folder] "C:\Users\Warren\appdata\local\strongvault online backup"
Failed to delete: [Folder] "C:\Users\Warren\appdata\locallow\conduit"
Successfully deleted: [Folder] "C:\Users\Warren\appdata\locallow\pricegong"
Successfully deleted: [Folder] "C:\Users\Warren\appdata\locallow\whitesmoke_new"
Successfully deleted: [Folder] "C:\Program Files (x86)\aol toolbar"
Successfully deleted: [Folder] "C:\Program Files (x86)\conduit"
Successfully deleted: [Folder] "C:\Program Files (x86)\hotspot shield"
Failed to delete: [Folder] "C:\Program Files (x86)\viewpoint"
Successfully deleted: [Folder] "C:\Program Files (x86)\w3i"
Successfully deleted: [Folder] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\strongvault online backup"
Successfully deleted: [Folder] "C:\ai_recyclebin"
Successfully deleted: [Folder] "C:\windows\syswow64\ai_recyclebin"
Successfully deleted: [Empty Folder] C:\Users\Warren\appdata\local\{5109E186-628B-481F-8528-217998F2779C}
Successfully deleted: [Empty Folder] C:\Users\Warren\appdata\local\{7082BDB9-F296-4DBE-8B9F-10441434E135}

~~~ FireFox

Successfully deleted: [File] C:\Users\Warren\AppData\Roaming\mozilla\firefox\profiles\q6ssat56.default-1362344828177\searchplugins\conduit.xml
Successfully deleted: [Folder] C:\Users\Warren\AppData\Roaming\mozilla\firefox\profiles\q6ssat56.default-1362344828177\extensions\{739df940-c5ee-4bab-9d7e-270894ae687a}
Successfully deleted the following from C:\Users\Warren\AppData\Roaming\mozilla\firefox\profiles\q6ssat56.default-1362344828177\prefs.js

user_pref("CT3289847.smartbar.homepage", "true");
user_pref("Smartbar.SearchFromAddressBarSavedUrl", "");
user_pref("", "WhiteSmoke New Customized Web Search");
user_pref("", "WhiteSmoke New Customized Web Search");
user_pref("", "hxxp://{searchTerms}");
user_pref("", "WhiteSmoke New Customized Web Search");
user_pref("browser.startup.homepage", "hxxp://");
user_pref("keyword.URL", "hxxp://");
user_pref("smartbar.addressBarOwnerCTID", "CT3289847");
user_pref("smartbar.conduitHomepageList", "hxxp://");
user_pref("smartbar.conduitSearchAddressUrlList", "hxxp://");
user_pref("smartbar.defaultSearchOwnerCTID", "CT3289847");
user_pref("smartbar.homePageOwnerCTID", "CT3289847");
Emptied folder: C:\Users\Warren\AppData\Roaming\mozilla\firefox\profiles\q6ssat56.default-1362344828177\minidumps [16 files]

~~~ Chrome

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\extensioninstallforcelist [Blacklisted Policy]
Successfully deleted: [Folder] C:\Users\Warren\appdata\local\Google\Chrome\User Data\Default\Extensions\gjkpcnacdgdlpfejlgflolpaigoicibh

~~~ Event Viewer Logs were cleared

Scan was completed on Thu 09/26/2013 at 20:30:01.23
End of JRT log

Report •

September 26, 2013 at 17:44:40
You do not appear to be showing enough respect to my help Warren. I should not have to be reminding you to do things.
Either print or write down instructions & then cross off each step as you do it.

"I ran ESET and this is all that it found:"
It found getwebcake.
That was enough, it gave me a clue, as the rootkit tools TDSSKiller & Gmer both came up clean.
As you can see, you have a lot of stuff installed, that you did not know had been installed.
A lot of programs, now give you the choice to install toolbars & other during the install. Either uncheck these items during install, or use Custom install. No more click, click during an install, you have to read after each click.

"I ran AVG again this a.m. and the 4 Sysenter files are still there. this is one of them:
Sysenter hook OXFFFFF80004A838CO"
Ok, I will be doing a step by step process to dismantle the problems, until you are clean, good that you are doing a check after each step. We may have to run some programs more than once.

Run Defogger & then Combofix.
This program can enable and disable CD emulation, often required in removing difficult malware. Some CD Emulation programs use a hidden driver that may be seen as a rootkit or that will interfere with the proper operation of the anti-rootkit scanner.
Run ComboFix. Copy & Paste the contents of the log please. ComboFix's log should be located at C:\COMBOFIX.TXT.
A guide and tutorial on using ComboFix
Manually restoring the Internet connection
"There are circumstances ComboFix will hang, crash or stall at various stages due to malware interference, failure to disable other real-time protection tools or the presence of CD Emulators (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD) so that it does not complete successfully. Also, depending on how badly a system is infected, ComboFix may take longer to complete its routine than it normally does or fail to run properly. While that is not normal behavior, it is not unusual"
If you think it's frozen, look at the computer clock.
If it's running, Combofix is still working.
Do not mouseclick combofix's window while it is running. That may cause it to stall.
ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.

message edited by Johnw

Report •

September 26, 2013 at 18:15:44
Sorry John. the last memo is a little confusing. you say to run combofix. then to run defogger. but how will i know that combofix is finally done.

Report •

September 26, 2013 at 18:40:21
Yep you are right Warren, I will have to reword that, run Defogger first & then Combofix.

"but how will i know that combofix is finally done"
If you think it's frozen, look at the computer clock.
If it's running, Combofix is still working.
It does about 50 stages & when it's finished, it lets you know.

message edited by Johnw

Report •

September 26, 2013 at 18:43:35
ok. thanks for clearing that up for me. will run them tomorrow .

Report •

September 26, 2013 at 23:32:33
Double click DeFogger to run the tool.
The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Report •

September 27, 2013 at 21:07:08
John: I have downloaded combofix and ran it. Clicking on the icon and the Administrator Box comes up and it says starting to scan files. But after a few minutes it disappears. I started it a few times and same thing happens. AVG is disabled along with the windows firewall, nothing else running. Going to bed, will try again tomorrow

Report •

September 27, 2013 at 21:21:18
" But after a few minutes it disappears"

1: Try Safe mode.
2: Rename Combofix.exe as you download it to winlogon.exe or Combo-Fix.exe or anything you like.
It is very important that save the newly renamed EXE file to your desktop.
You must rename Combofixe.exe as you download it and not after it is on your computer.
You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
Open Firefox
Click Tools -> Options -> Main
Under the downloads section check the button that says "Always ask me where to save files".
Click OK
For Internet Explorer:
Choose to save, not open the file
When prompted - save the file to your desktop, and rename it winlogon.exe.
Download Combofix to a USB and run Combofix from the USB, just say continue to all the warning messages.

Report •

Ask Question