TechSpot

How to interfere with hijacked MS Explorer

By Row1
Nov 2, 2014
  1. Hello, everyone - I am accessing from my work computer, which is fine. My personal laptop, a Dell E4300, has just recently gotten hijacked by something. It has taken over MS Explorer. When I boot up, BEFORE ever clicking to start MS Explorer, Explorer starts running.

    MS Explorer consumes a great portion of CPU in several sessions, and consumes MOST of RAM.

    So, ANYTHING else runs VERY slow.

    I am ready to go through the Techspot virus/malware process, but it might take days since thje computer is running so slow.

    I can get it to run faster for a minute or two by getting in the task manager and ending instances of MS Explorer.

    But how can I interfere or stop MS Explorer for a longer period of time? Hopefully until I myself choose to run it again? THANKS!

    Until then, I will have to download stuff on my work comp, transfer to personal laptop, and let it run. This will be a big challenge.
     
  2. Row1

    Row1 TS Guru Topic Starter Posts: 332   +13

    OH, BTW, able to get personal laptop running at all because I downloaded Firefox; MS Explorer and Google Chrome are totally jacked up.
     
  3. Row1

    Row1 TS Guru Topic Starter Posts: 332   +13

    OK, in the task manager I ended all instances of MS Explorer. This brought CPU load down to normal, 1-2%. Then, activity kicked back up with a few dll.exe.
    I cancelled those processes and the computer goes back to normal for about two minutes, before the dllhost.exe shows up again, using 53%, 78%, 47% of CPU.

    Internet Explorer has not come back on.

    Just some dllhost.exe coming back to life.

    Also, when I do this, to get some control back, I lose the file explorer - so I cannot save, rename, or move files.

    I may need to download and install a file browser other than windows file explorer to solve this problem.
     
  4. Row1

    Row1 TS Guru Topic Starter Posts: 332   +13

    The dllhost.exe process, in task manager, says for description: "COM Surrogate."
     
  5. Row1

    Row1 TS Guru Topic Starter Posts: 332   +13

    A flashdrive-based file explorer would be helpful - any suggestions?
     
  6. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ==============================

    It looks like you're infected with Poweliks malware.

    Download RogueKiller from one of the following links and save it to your Desktop:

    Link 1
    Link 2

    • Close all the running programs
    • Windows Vista/7/8 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
     
  7. Row1

    Row1 TS Guru Topic Starter Posts: 332   +13

    Results from roguekiller:

    RogueKiller V10.0.4.0 [Oct 29 2014] by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : http://forum.adlice.com
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://www.adlice.com
    Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
    Started in : Normal mode
    User : e4300 [Administrator]
    Mode : Delete -- Date : 11/02/2014 20:18:10
    ¤¤¤ Processes : 2 ¤¤¤
    [Suspicious.Path] explorer.exe -- C:\ProgramData\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4}\zipfldr.dll[-] -> Unloaded
    [Suspicious.Path] rundll32.exe -- C:\Users\e4300\AppData\Local\movziuz.dll[-] -> Unloaded
    ¤¤¤ Registry : 12 ¤¤¤
    [PUP] HKEY_CLASSES_ROOT\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3} -> Not selected
    [PUP] HKEY_CLASSES_ROOT\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52} -> Not selected
    [PUP] HKEY_USERS\S-1-5-21-2579459372-583501214-59938211-1000\Software\Microsoft\Windows\CurrentVersion\Run | PriceMeterW : "C:\Users\e4300\AppData\Local\PriceMeter\pricemeterw.exe" -> Not selected
    [Suspicious.Path] HKEY_USERS\S-1-5-21-2579459372-583501214-59938211-1000\Software\Microsoft\Windows\CurrentVersion\Run | movziuz : rundll32 "C:\Users\e4300\AppData\Local\movziuz.dll",movziuz [x][x] -> Deleted
    [Suspicious.Path] HKEY_USERS\S-1-5-21-2579459372-583501214-59938211-1000\Software\Microsoft\Windows\CurrentVersion\Run | PoxkEsosv : regsvr32.exe "C:\ProgramData\PoxkEsosv\PoxkEsosv.dat" [7][-] -> Deleted
    [Suspicious.Path] HKEY_USERS\S-1-5-21-2579459372-583501214-59938211-1000\Software\Microsoft\Windows\CurrentVersion\Run | OufjeZfoze : regsvr32.exe "C:\ProgramData\OufjeZfoze\OufjeZfoze.dat" [7][-] -> Deleted
    [PUM.HomePage] HKEY_USERS\S-1-5-21-2579459372-583501214-59938211-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.yahoo.com/ -> Not selected
    [PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Not selected
    [PUM.StartMenu] HKEY_USERS\S-1-5-21-2579459372-583501214-59938211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Not selected
    [PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Not selected
    [PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Not selected
    [Tr.Poweliks] HKEY_USERS\S-1-5-21-2579459372-583501214-59938211-1000\Software\classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32 -> Deleted
    ¤¤¤ Tasks : 0 ¤¤¤
    ¤¤¤ Files : 0 ¤¤¤
    ¤¤¤ Hosts File : 0 ¤¤¤
    ¤¤¤ Antirootkit : 59 (Driver: Loaded) ¤¤¤
    [IAT:Inl] (explorer.exe) KERNEL32.dll - CreateProcessW : Unknown @ 0x699b285 (jmp 0xffffffff90a29238)
    [IAT:Inl] (explorer.exe @ USER32.dll) KERNEL32.dll - CreateProcessW : Unknown @ 0x699b285 (jmp 0xffffffff90a29238)
    [IAT:Inl] (explorer.exe @ MSCTF.dll) KERNEL32.dll - CreateProcessW : Unknown @ 0x699b285 (jmp 0xffffffff90a29238)
    [IAT:Inl] (explorer.exe @ iertutil.dll) KERNEL32.dll - CreateProcessW : Unknown @ 0x699b285 (jmp 0xffffffff90a29238)
    [IAT:Addr] (explorer.exe @ USERENV.dll) GPAPI.dll - RegisterGPNotificationInternal : Unknown @ 0x74d3278f
    [IAT:Inl] (explorer.exe @ SETUPAPI.dll) KERNEL32.dll - CreateProcessW : Unknown @ 0x699b285 (jmp 0xffffffff90a29238)
    [IAT:Inl] (explorer.exe @ apphelp.dll) KERNEL32.dll - CreateProcessW : Unknown @ 0x699b285 (jmp 0xffffffff90a29238)
    [IAT:Inl] (explorer.exe @ CLBCatQ.DLL) ADVAPI32.dll - CreateProcessAsUserW : Unknown @ 0x699b3cd (jmp 0x655ee9b)
    [IAT:Inl] (explorer.exe @ CLBCatQ.DLL) KERNEL32.dll - CreateProcessW : Unknown @ 0x699b285 (jmp 0xffffffff90a29238)
    [IAT:Inl] (explorer.exe @ SndVolSSO.DLL) KERNEL32.dll - CreateProcessW : Unknown @ 0x699b285 (jmp 0xffffffff90a29238)
    [IAT:Inl] (explorer.exe @ urlmon.dll) KERNEL32.dll - CreateProcessA : Unknown @ 0x699b32b (jmp 0xffffffff90a292a9)
    [IAT:Addr] (explorer.exe @ schannel.DLL) ncrypt.dll - SslIncrementProviderReferenceCount : Unknown @ 0x752b5c53
    [IAT:Addr] (explorer.exe @ schannel.DLL) ncrypt.dll - SslEncryptPacket : Unknown @ 0x752b38a3
    [IAT:Addr] (explorer.exe @ schannel.DLL) ncrypt.dll - SslOpenProvider : Unknown @ 0x752ba8ed
    [IAT:Addr] (explorer.exe @ schannel.DLL) ncrypt.dll - SslLookupCipherSuiteInfo : Unknown @ 0x752b59c7
    [IAT:Addr] (explorer.exe @ schannel.DLL) ncrypt.dll - SslImportKey : Unknown @ 0x752b5bb1
    [IAT:Inl] (explorer.exe @ CRYPTUI.dll) CRYPT32.dll - PFXImportCertStore : Unknown @ 0x6999d69 (jmp 0xffffffff910684b1)
    [IAT:Inl] (explorer.exe @ wer.dll) KERNEL32.dll - CreateProcessW : Unknown @ 0x699b285 (jmp 0xffffffff90a29238)
    [IAT:Inl] (explorer.exe @ msi.dll) ADVAPI32.dll - CreateProcessAsUserW : Unknown @ 0x699b3cd (jmp 0x655ee9b)
    [IAT:Inl] (explorer.exe @ ieframe.dll) KERNEL32.dll - CreateProcessW : Unknown @ 0x699b285 (jmp 0xffffffff90a29238)
    [IAT:Inl] (explorer.exe @ stobject.dll) KERNEL32.dll - CreateProcessW : Unknown @ 0x699b285 (jmp 0xffffffff90a29238)
    [IAT:Inl] (explorer.exe @ es.dll) KERNEL32.dll - CreateProcessW : Unknown @ 0x699b285 (jmp 0xffffffff90a29238)
    [IAT:Inl] (explorer.exe @ pnidui.dll) KERNEL32.dll - CreateProcessW : Unknown @ 0x699b285 (jmp 0xffffffff90a29238)
    [IAT:Inl] (explorer.exe @ FXSAPI.dll) KERNEL32.dll - CreateProcessW : Unknown @ 0x699b285 (jmp 0xffffffff90a29238)
    [IAT:Inl] (explorer.exe @ netcenter.dll) KERNEL32.dll - CreateProcessW : Unknown @ 0x699b285 (jmp 0xffffffff90a29238)
    [IAT:Inl] (explorer.exe @ ADVPACK.dll) KERNEL32.dll - CreateProcessW : Unknown @ 0x699b285 (jmp 0xffffffff90a29238)
    [IAT:Inl] (explorer.exe @ werconcpl.dll) KERNEL32.dll - CreateProcessW : Unknown @ 0x699b285 (jmp 0xffffffff90a29238)
    [IAT:Inl] (explorer.exe @ EhStorAPI.dll) KERNEL32.dll - CreateProcessW : Unknown @ 0x699b285 (jmp 0xffffffff90a29238)
    [IAT:Inl] (explorer.exe @ sysmain.dll) KERNEL32.dll - CreateProcessW : Unknown @ 0x699b285 (jmp 0xffffffff90a29238)
    [IAT:Inl] (explorer.exe @ igfxpph.dll) KERNEL32.dll - CreateProcessA : Unknown @ 0x699b32b (jmp 0xffffffff90a292a9)
    [IAT:Inl] (explorer.exe @ sbdrop.dll) KERNEL32.dll - CreateProcessW : Unknown @ 0x699b285 (jmp 0xffffffff90a29238)
    [IAT:Inl] (explorer.exe @ acppage.dll) KERNEL32.dll - CreateProcessW : Unknown @ 0x699b285 (jmp 0xffffffff90a29238)
    [IAT:Inl] (explorer.exe @ xwizards.dll) KERNEL32.dll - CreateProcessW : Unknown @ 0x699b285 (jmp 0xffffffff90a29238)
    [IAT:Inl] (firefox.exe @ MSVCR100.dll) KERNEL32.dll - CreateProcessA : Unknown @ 0x40b32b (jmp 0xffffffff8a4992a9)
    [IAT:Inl] (firefox.exe @ MSVCR100.dll) KERNEL32.dll - CreateProcessW : Unknown @ 0x40b285 (jmp 0xffffffff8a499238)
    [IAT:Inl] (firefox.exe @ USER32.dll) KERNEL32.dll - CreateProcessW : Unknown @ 0x40b285 (jmp 0xffffffff8a499238)
    [IAT:Inl] (firefox.exe @ MSCTF.dll) KERNEL32.dll - CreateProcessW : Unknown @ 0x40b285 (jmp 0xffffffff8a499238)
    [IAT:Inl] (firefox.exe @ iertutil.dll) KERNEL32.dll - CreateProcessW : Unknown @ 0x40b285 (jmp 0xffffffff8a499238)
    [IAT:Inl] (firefox.exe @ sandboxbroker.dll) KERNEL32.dll - CreateProcessW : Unknown @ 0x40b285 (jmp 0xffffffff8a499238)
    [IAT:Inl] (firefox.exe @ sandboxbroker.dll) ADVAPI32.dll - CreateProcessAsUserW : Unknown @ 0x40b3cd (jmp 0xffffffff8a3aee9b)
    [IAT:Inl] (firefox.exe @ nss3.dll) KERNEL32.dll - CreateProcessA : Unknown @ 0x40b32b (jmp 0xffffffff8a4992a9)
    [IAT:Inl] (firefox.exe @ xul.dll) nss3.dll - PR_Read : Unknown @ 0x40a21c (jmp 0xffffffff9573757c)
    [IAT:Inl] (firefox.exe @ xul.dll) nss3.dll - PR_Close : Unknown @ 0x40a106 (jmp 0xffffffff95732a26)
    [IAT:Inl] (firefox.exe @ xul.dll) nss3.dll - PR_Write : Unknown @ 0x40a34c (jmp 0xffffffff9573769c)
    [IAT:Inl] (firefox.exe @ xul.dll) nss3.dll - PR_DestroyPollableEvent : Unknown @ 0x40a106 (jmp 0xffffffff95732a26)
    [IAT:Inl] (firefox.exe @ xul.dll) KERNEL32.dll - CreateProcessW : Unknown @ 0x40b285 (jmp 0xffffffff8a499238)
    [IAT:Inl] (firefox.exe @ SETUPAPI.dll) KERNEL32.dll - CreateProcessW : Unknown @ 0x40b285 (jmp 0xffffffff8a499238)
    [IAT:Inl] (firefox.exe @ apphelp.dll) KERNEL32.dll - CreateProcessW : Unknown @ 0x40b285 (jmp 0xffffffff8a499238)
    [IAT:Inl] (firefox.exe @ CLBCatQ.DLL) ADVAPI32.dll - CreateProcessAsUserW : Unknown @ 0x40b3cd (jmp 0xffffffff8a3aee9b)
    [IAT:Inl] (firefox.exe @ CLBCatQ.DLL) KERNEL32.dll - CreateProcessW : Unknown @ 0x40b285 (jmp 0xffffffff8a499238)
    [IAT:Inl] (firefox.exe @ browsercomps.dll) KERNEL32.dll - CreateProcessW : Unknown @ 0x40b285 (jmp 0xffffffff8a499238)
    [IAT:Inl] (firefox.exe @ Wpc.dll) KERNEL32.dll - CreateProcessW : Unknown @ 0x40b285 (jmp 0xffffffff8a499238)
    [IAT:Inl] (firefox.exe @ nssdbm3.dll) nss3.dll - PR_Read : Unknown @ 0x40a21c (jmp 0xffffffff9573757c)
    [IAT:Inl] (firefox.exe @ nssdbm3.dll) nss3.dll - PR_Write : Unknown @ 0x40a34c (jmp 0xffffffff9573769c)
    [IAT:Inl] (firefox.exe @ nssdbm3.dll) nss3.dll - PR_Close : Unknown @ 0x40a106 (jmp 0xffffffff95732a26)
    [IAT:Inl] (firefox.exe @ freebl3.dll) nss3.dll - PR_Close : Unknown @ 0x40a106 (jmp 0xffffffff95732a26)
    [IAT:Inl] (firefox.exe @ freebl3.dll) nss3.dll - PR_Read : Unknown @ 0x40a21c (jmp 0xffffffff9573757c)
    [IAT:Inl] (firefox.exe @ urlmon.dll) KERNEL32.dll - CreateProcessA : Unknown @ 0x40b32b (jmp 0xffffffff8a4992a9)
    [IAT:Inl] (firefox.exe @ mf.dll) KERNEL32.dll - CreateProcessW : Unknown @ 0x40b285 (jmp 0xffffffff8a499238)
    ¤¤¤ Web browsers : 0 ¤¤¤
    ¤¤¤ MBR Check : ¤¤¤
    +++++ PhysicalDrive0: +++++
    --- User ---
    [MBR] 29fdfa556d13eb95d2083272401a4ed7
    [BSP] e7a4d88e39462edee4d9ce59ade9badd : Windows Vista/7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
    1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 152525 MB
    User = LL1 ... OK
    User = LL2 ... OK
    +++++ PhysicalDrive1: +++++
    --- User ---
    [MBR] ad33a3a547bba123744a073c3fd010a6
    [BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
    Partition table:
    0 - [ACTIVE] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 8064 | Size: 14883 MB
    User = LL1 ... OK
    Error reading LL2 MBR! ([32] The request is not supported. )

    ============================================
    RKreport_SCN_11022014_201622.log
     
  8. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Are things little bit better now?

    If so...

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.
     
  9. Row1

    Row1 TS Guru Topic Starter Posts: 332   +13

    Once rebooted, explorer.exe goes to high CPU usage: 51%, 25%, etc.
    Then, a warning screen appears: windows explorer has stopped working; checl online for solution or close the program.

    so, something is still messing with comp via windows explorer.

    the dllhost.exe processes have not appeared again.

    I will try to follow those steps.
    I have much more ability to use comp since processor is not so slowed.
     
  10. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    OK.
     
  11. Row1

    Row1 TS Guru Topic Starter Posts: 332   +13

    I am carrying on, now. AVAST noted some slideshow virus, then kept detecting intrusions, then blue page of death - windows crashed. I have just restarted.
    I cannot select / run AVASt - I do not have permission (?).

    Moving on to MBAM.
     
  12. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Go ahead.
     
  13. Row1

    Row1 TS Guru Topic Starter Posts: 332   +13

    Malwarebytes second scan: second blue screen of death.
     
  14. Row1

    Row1 TS Guru Topic Starter Posts: 332   +13

    MBAM: fourth scan: no threats. Then BSOD.
    BSOD may be over-heating; my CPU continues to be heavily taxed.
    MBAM results to be posted soon. Hopefully.
     
  15. Row1

    Row1 TS Guru Topic Starter Posts: 332   +13

    Restart. Malwarebytes stops an outgoing threat from dllhost.exe.
    AND the wireless is turned off.
    whatever is driving a dllhost.exe file kicks in once computer is turned on.
     
  16. Row1

    Row1 TS Guru Topic Starter Posts: 332   +13

    MBAM results:

    Malwarebytes Anti-Malware
    www.malwarebytes.org
    Scan Date: 11/2/2014
    Scan Time: 10:08:34 PM
    Logfile: e4300MBAM1102.txt
    Administrator: Yes
    Version: 2.00.3.1025
    Malware Database: v2014.11.03.02
    Rootkit Database: v2014.11.01.02
    License: Trial
    Malware Protection: Enabled
    Malicious Website Protection: Enabled
    Self-protection: Disabled
    OS: Windows 7 Service Pack 1
    CPU: x86
    File System: NTFS
    User: e4300
    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 279040
    Time Elapsed: 7 min, 58 sec
    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled
    Heuristics: Enabled
    PUP: Enabled
    PUM: Enabled
    Processes: 0
    (No malicious items detected)
    Modules: 0
    (No malicious items detected)
    Registry Keys: 0
    (No malicious items detected)
    Registry Values: 0
    (No malicious items detected)
    Registry Data: 0
    (No malicious items detected)
    Folders: 0
    (No malicious items detected)
    Files: 0
    (No malicious items detected)
    Physical Sectors: 0
    (No malicious items detected)

    (end)
     
  17. Row1

    Row1 TS Guru Topic Starter Posts: 332   +13

    It is night time. I will resume tomorrow.
     
  18. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    No problem :)

    After posting DDS logs here is what to do next...

    [​IMG] Download RogueKiller from one of the following links and save it to your Desktop:

    Link 1
    Link 2

    • Close all the running programs
    • Windows Vista/7/8 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    [​IMG] Create new restore point before proceeding with the next step....
    How to: http://www.smartestcomputing.us.com/topic/63983-how-to-create-new-restore-point-all-windows/

    Download [​IMG] Malwarebytes Anti-Rootkit to your desktop.
    • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
    • Double click on downloaded file. OK self extracting prompt.
    • MBAR will start. Click "Next" to continue.
    • Click in the following screen "Update" to obtain the latest malware definitions.
    • Once the update is complete select "Next" and click "Scan".
    • When the scan is finished and no malware has been found select "Exit".
    • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
    • Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
      • "mbar-log-{date} (xx-xx-xx).txt"
      • "system-log.txt"
     
  19. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Still with me?
     
  20. Row1

    Row1 TS Guru Topic Starter Posts: 332   +13

    I am back - family out of town, I have uninterrupted time to work on this today and tomorrow
     
  21. Row1

    Row1 TS Guru Topic Starter Posts: 332   +13

    I am backtracking a bit and starting from this point:
    "Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies."
     
  22. Row1

    Row1 TS Guru Topic Starter Posts: 332   +13

    This infection is pernicious. it castrated avast.
    I have downloaded comodo, have run update of comodo, and am now running quick scan w comodo.
     
  23. Row1

    Row1 TS Guru Topic Starter Posts: 332   +13

    Malwarebytes and dds logs posted below- in a moment
     
  24. Row1

    Row1 TS Guru Topic Starter Posts: 332   +13

    Malwarebytes Anti-Malware
    www.malwarebytes.org

    Scan Date: 11/9/2014
    Scan Time: 6:45:44 AM
    Logfile: e4300MBAMnov09.txt
    Administrator: Yes

    Version: 2.00.3.1025
    Malware Database: v2014.11.09.04
    Rootkit Database: v2014.11.08.01
    License: Trial
    Malware Protection: Enabled
    Malicious Website Protection: Enabled
    Self-protection: Disabled

    OS: Windows 7 Service Pack 1
    CPU: x86
    File System: NTFS
    User: e4300

    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 282556
    Time Elapsed: 12 min, 23 sec

    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled
    Heuristics: Enabled
    PUP: Enabled
    PUM: Enabled

    Processes: 0
    (No malicious items detected)

    Modules: 0
    (No malicious items detected)

    Registry Keys: 0
    (No malicious items detected)

    Registry Values: 0
    (No malicious items detected)

    Registry Data: 0
    (No malicious items detected)

    Folders: 0
    (No malicious items detected)

    Files: 0
    (No malicious items detected)

    Physical Sectors: 0
    (No malicious items detected)


    (end)
     
  25. Row1

    Row1 TS Guru Topic Starter Posts: 332   +13

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows 7 Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 6/6/2014 4:34:39 PM
    System Uptime: 11/9/2014 11:52:52 AM (1 hours ago)
    .
    Motherboard: Dell Inc. | | 0D201R
    Processor: Intel(R) Core(TM)2 Duo CPU P9400 @ 2.40GHz | Microprocessor | 2401/266mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 149 GiB total, 105.606 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID:
    Description: Base System Device
    Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_024D1028&REV_12\4&5910934&0&0AF0
    Manufacturer:
    Name: Base System Device
    PNP Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_024D1028&REV_12\4&5910934&0&0AF0
    Service:
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Teredo Tunneling Adapter
    Device ID: ROOT\*TEREDO\0000
    Manufacturer: Microsoft
    Name: Teredo Tunneling Pseudo-Interface
    PNP Device ID: ROOT\*TEREDO\0000
    Service: tunnel
    .
    Class GUID:
    Description: Broadcom USH
    Device ID: USB\VID_0A5C&PID_5800&MI_00\6&66DE6C9&0&0000
    Manufacturer:
    Name: Broadcom USH
    PNP Device ID: USB\VID_0A5C&PID_5800&MI_00\6&66DE6C9&0&0000
    Service:
    .
    ==== System Restore Points ===================
    .
    RP58: 10/21/2014 6:16:26 PM - Windows Update
    RP59: 10/28/2014 2:05:14 PM - Windows Update
    RP61: 11/2/2014 9:01:26 PM - avast! antivirus system restore point
    RP62: 11/4/2014 2:33:29 PM - Windows Update
    .
    ==== Image File Execution Options =============
    .
    .
    ==== Installed Programs ======================
    .
    .
    ==== End Of File ===========================
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...