Momadice

Bootkit. Is there help for this?

Recommended Posts

This pc is a brand new hard drive from early summer.  Everything has been running decent with very few hiccups.

The emsisoft team has aided in a few false positives, and that's about it.

I started noticing troubles last weekend with massive browser redirects.

I ran some other security programs in safe mode and there were some issues.

Once everything seemed to be okay I followed the suggestions in the Emsisoft Blog,

backed up my files and did a clean sweep full format reinstall of Windows 10.

Emsisoft was having a hard time installing. I could not turn on file protection

and got constant errors about important compents missing.  I tried to put a post onto the Emsisoft support forum and I am denied the ability

to do anything other than type in the title bar.  I cannot type into the box below.

So I did another clean install.  Now emsisoft was working. However,

I am still having problems.  All the antivirus etc has turned up squeaky clean.

I tried to put a post onto the Emsisoft support forum and I am denied the ability

to do anything other than type in the title bar.  I cannot type into the box below.

I ran Rkill in an effort to boost emsisoft chance of finding any possible infection,

if there was infact and infection and Rkill came up with a few problems.  I researched one

in particular and found that others have had a problem with this file too.  They labled it a Bootkit.

 * CompositeBus => \SystemRoot\System32\DriverStore\FileRepository\compositebus.inf_amd64_912dfdedc3d2f520\CompositeBus.sys [incorrect ImagePath]

Is there any chance of fixing this or do I need to buy another hard drive?  I have had to use a different pc to post this to the forum

as Emsisoft is still being blocked by something that only lets me type in the subject line and not

the box below.

Edited by Kevin Zoll
<< INCOMPLETE AND PASTED LOGS REMOVED >>

Share this post


Link to post
Share on other sites

I do not know if this is related, and/or if I need to address it in another forum.

 

Emsisoft is behaving differently.  The curser when hovering over the over or anyother part of the program is always blinking on and off, very steady.  I wanted to make sure all the settings were proper due to the fact that I am having issues, and there is one application with no name and it is selected as block silently under application rules.  I opened it up as I do not recall making a behaviour modification on something blank and I was surprised to see the default action was "Don't Block" (the main menu says "Block Silently") even after I selected a different option from the drop down list such as block and notify.  As your program version was modified recentlly to your 11; I am not sure if these are normal occurances or not.  I have become quite reliant on Emsisoft and have established a familiar interaction with it, however your updated version is so new to me that I do not know if these behaviours are normal with the new release or symptoms of a problem.  Generally any time I have been promted to get help from your forums by the program itself; the issues have been cleared up quite easily and quickly, so perhaps this is nothing to worry about.

Share this post


Link to post
Share on other sites

Momadice,

You have done this enough to know that we want all logs attached. If you look at your first post the FRST log is truncated, that is exactly why we ask that all logs are attached, to prevent the loss of data and for your privacy.

Attach all requested logs to you next reply.

Share this post


Link to post
Share on other sites

FYI:  FF is misbhaving.  It crashes unless run in private mode. It has been uninstalled and reinstalled and still does the same thing.  When it is suitable will you let me know when it is okay for me find assistance with this in an appropriate browser forum?

Share this post


Link to post
Share on other sites

Momadice,

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
C:\Users\Cindy\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Cindy\AppData\Local\Temp\{526F3CA5-4886-4379-835D-D8DF7F07CB0E}.exe
AlternateDataStreams: C:\Program Files\ATI Technologies:Win32App_1
AlternateDataStreams: C:\Program Files\Emsisoft Anti-Malware:Win32App_1
AlternateDataStreams: C:\Program Files\MiniTool Partition Wizard Free 9.1:Win32App_1
AlternateDataStreams: C:\Program Files (x86)\ATI Technologies:Win32App_1
AlternateDataStreams: C:\Program Files (x86)\Malwarebytes Anti-Malware:Win32App_1
AlternateDataStreams: C:\Program Files (x86)\Mozilla Firefox:Win32App_1
AlternateDataStreams: C:\Program Files (x86)\Zemana AntiLogger Free:Win32App_1
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

Do the following:

Download AdwCleaner and save it on your desktop.

  • Close all open programs and Internet browsers (you may want to print our or write down these instructions first).
  • Double click on adwcleaner.exe to run the tool.
  • Click on the Scan button.
  • After the scan has finished, click on the Clean button.
  • Confirm each time with OK.
  • You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
  • Attach that log file to your reply by clicking the More Reply Options button to the lower-right of where you type in your reply.

    NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.

Download Junkware Removal Tool and save it on your desktop.
  • Run the tool by double-clicking it.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log is saved to your desktop and will automatically open.
  • Attach the JRT log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply.

Share this post


Link to post
Share on other sites

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running?

Share this post


Link to post
Share on other sites

EEK 25Nov2015.txtFRST.txtAddition.txt

 

After the new hard drive and the win 10 upgrade it seemed happy until a couple weekends ago.  Maybe I simply bought a dud computer.

So how is it running? ...   I wish I knew the correct component words to tell you, but I do not, so excuse me for this, I can only describe the symptoms.  They are not in any particular order, but they are all new as of a couple weeks ago.  Please know I have a special needs child that crushes on a carly shay and has learned how to google and doesn't understand bad sites or the WOT symbols.  I normally set him up with what he wants to listen to, but now I have just discovered he is browsing on his own.  I will have to learn to set him up a good child's profile.  Speaking about profiles, I noticed on the FRBR reports there are many profiles.  Is this normal?

 

I backed up and formatted my D; drive before this session commenced.  Now there is over 2 gigs of storage in use.  This shows up on the mini partition wizard I have for the purpose to find out about all the partitions on the pc.  I thought I only needed two partitions C: and D: but apparantly I have six partitions.  I am fairly positive that when I formatted D: partition it was empty.  I formatted it three times to make sure, twice using the tool and once using the windows os tools.  I had removed (back up and transfered) my files to a flash drive and then formatted the drive all in the name of troubleshooting the pc, aagain before the commencement of this session.

 

One oddly strange thing is with my mouse pointer.  for instance when i right click a file and select the properties option, the hour glass blinks on and off.  Now I know the hourglass pointer comes on when the system is busy and it is a visual reminder to wait for the command to complete.  This however is completely different,  It blinks on and off at various speeds the entire time certain windows (such as I mentioned above) as long as the mouse is hovering over it.  Having used every (windows) opertating system there is and using win 10 since it's release, this is a new strange behaviour.  Wierd or what?      ******Update...  I discovered that this is the mouse property that tells you something is running in the background, and it is the edge browser.  I guess the edge browse is always busy when ever you make any adjustments.  When I close the browser or close any windows that make system adjustments the blinking stops.  So this is a new behaviour.

 

Here is one walk through that is completely strange and out of my control for the first time ever.  When I open control panel, then choose internet options then select the pograms tab, the top option is Opening Internet Explorer - choose how you open links.  I have no access to this.  The only option is a hyperink that says Make Internet Explorer the default brower.  Before recently I have been able to change this to firefox or even chrome.   Choose how you open links is greyed out and a check mark is in the box open internet explorer tiles on the desktop.  I cannot change this.  Internet options is a control panel item I use from time to time to make sure the internet settings for cookies, and remote accessa etc are set to the way I want them.  After doing what I thought was a clean install of win 10 I navigated here and haven't been able to adjust some of these settings.  Is this a win 10 update thing?  Before recently I have not had this issue.

 

Another strange behaviour which I have never experienced before is my number pad being switched off.  The numlock key.  I use numberpad all the time, and it is turned on at the outset to enter my password. and I do not adjust it as I use it all the time.  It is getting turned off all the time.

FF is buggered, I have uninstalled it and reinstalled it (before our session started).  Constant redirects, and when it is reinstalled it is all set up the way it was before like I never uninstalled it to begin with.  I have even deleted the original .exe and downloaded a new one to no avail.   By experimenting it is discovered I cannot use it in regular mode, only private mode.  When I select a new tab the browser shuts down with a popup warning wanting to know if I want to quit FF (which has already closed on its own) and send off an error report. Private mode works until ? ... the laptop just freezes and/or the mouse dissappears. Hardboot has been the only solution.

 

The redirects have not dissappeared, but have calmed down since your fix.txt manouver.  But . . .There is a new behaviour where my pc freezes, no mouse control no keyboard control and it requires a hard boot to use it. I'm having to hard boot a few times a day.  The mouse often just stops working all together  and the trackpad. The pointer simply disappears until a reboot.

 

Emsisoft and Zemena were both turned off (not by me) and it took a little doing to get Emsisoft working again.  Actually I couldn't get Emsisoft under my control which is why I did a clean install (before this troubleshooting session, not while you have been helping me).   This is what promted trouble shooting and these problems were the first signs that something was a muck. These two programs were changed not to start up with windows, and this was not my doing.  I also was not allowed to make any changes to Emsi.  Now it is working.  At least I think it is.  They are both starting with windows again and working as they should.

I can use the edge browser.  I dont like it, but it works.  Emsisoft surf protection is my saviour here as it has warned me about a couple malicious sites over the last two weeks.

Share this post


Link to post
Share on other sites

Under Behaviour Blocker in the Emsisoft Activate behaviour blocker there is a tick box that says hide fully trusted applications. When this box is unchecked all the applications show up.

 

My mouse pointer is blinking on and off like crazy indicating background stuff is happening, but at the same time there is a flickering of trusted applications.  What I mean is there is one rundll32.exe (it flickers fast) that shows up then dissappears.  I cannot click on it.  All the other appications I can click on and make modifications if I want. However this one shows up then dissappears.  I thought I would try and do a screen capture to show you, but the minute I press down on the alt key, it stops altogether and so I don't get to alt / printscreen, to show you.  I did however take a screen shot and diagramed the incident in case it is something.  If that is normal behaviour for the program I apologize for bringing it up, but I haven't seen this behaviour before.

 

In addition all the screen freezing and mouse freezing has stopped.  I don't know why, but it has stopped.

Share this post


Link to post
Share on other sites

I just want to say, I know that you know what can or could be malware related, and I don't. The symptoms are things that I have not experienced before, all new to me. I am happy for any links you may know of in addressing non malware issues that don't qualify for assistance in this forum. All I can say regarding the above, as I have already said, is they are all new since my last attempt to solve my AV issues with a clean install of win 10 by trying to format everything. I only had 10 gigs of data to back up to a flash drive anyway.  So I am good with any thing I need to do with this laptop including a complete reinstall of win 10 and then emsisoft and zemena.  What ever it takes.

Share this post


Link to post
Share on other sites

Though I do not see any malware in your logs, this is not normal:

S3 MessagingService_26f19; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
S3 MessagingService_26f19; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 MessagingService_2b1d3; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 MessagingService_2b1d3; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 MessagingService_2c0d7; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 MessagingService_2c0d7; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 MessagingService_2e8fb; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 MessagingService_2e8fb; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 MessagingService_30e32; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 MessagingService_30e32; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 MessagingService_3e0f6; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 MessagingService_3e0f6; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 MessagingService_6091b; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 MessagingService_6091b; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 MessagingService_74e2c; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 MessagingService_74e2c; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 MessagingService_89e3a2; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 MessagingService_89e3a2; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
R2 OneSyncSvc_26f19; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
R2 OneSyncSvc_26f19; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_2b1d3; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_2b1d3; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_2c0d7; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_2c0d7; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_2e8fb; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_2e8fb; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_30e32; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_30e32; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_3e0f6; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_3e0f6; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_6091b; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_6091b; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_74e2c; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_74e2c; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_89e3a2; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_89e3a2; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
R3 PimIndexMaintenanceSvc_26f19; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
R3 PimIndexMaintenanceSvc_26f19; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_2b1d3; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_2b1d3; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_2c0d7; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_2c0d7; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_2e8fb; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_2e8fb; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_30e32; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_30e32; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_3e0f6; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_3e0f6; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_6091b; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_6091b; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_74e2c; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_74e2c; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_89e3a2; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_89e3a2; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
R3 UnistoreSvc_26f19; C:\WINDOWS\System32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
R3 UnistoreSvc_26f19; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_2b1d3; C:\WINDOWS\System32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_2b1d3; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_2c0d7; C:\WINDOWS\System32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_2c0d7; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_2e8fb; C:\WINDOWS\System32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_2e8fb; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_30e32; C:\WINDOWS\System32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_30e32; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_3e0f6; C:\WINDOWS\System32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_3e0f6; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_6091b; C:\WINDOWS\System32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_6091b; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_74e2c; C:\WINDOWS\System32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_74e2c; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_89e3a2; C:\WINDOWS\System32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_89e3a2; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
R3 UserDataSvc_26f19; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
R3 UserDataSvc_26f19; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_2b1d3; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_2b1d3; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_2c0d7; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_2c0d7; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_2e8fb; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_2e8fb; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_30e32; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_30e32; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_3e0f6; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_3e0f6; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_6091b; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_6091b; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_74e2c; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_74e2c; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_89e3a2; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_89e3a2; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
Changing tools:

Download avz4.zip from here

  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: avz-update-button.png
  • Click Start to begin the update

    Note: If you receive an error message, chose a different source, then click Start again

  • After the update, from the "File" menu, choose "Standard Scripts"
  • Put a check next to item 2: Advanced System Analysis
  • Click Execute selected scripts
  • At the next prompt, click the OK button
  • Let the scan run and click "OK" when the completion prompt pops up
  • Now Close out of the Standard Scripts window, and exit AVZ
  • Navigate to the avz4 folder and locate the folder LOG
  • Inside the LOG folder you will find virusinfo_syscheck.htm, virusinfo_syscheck.htm and virusinfo_syscheck.zip
  • Attach the Compressed file, virusinfo_syscheck.zip, to your next reply.

Share this post


Link to post
Share on other sites

I am doing this now.  I noticed there is no request to turn off any programs, run this in any special mode, so I am running this program exactly as I did the first EEK & FRST.  If you require a different method of operation, please advise.

 

I do not use social media sites, I don't even have a facebook act., I do not twitter.  I do not messenger either.  I use very very few cloud docs, only for cooberating and unimportant.

 

okay here is the log file:

 

virusinfo_syscheck.zip

Share this post


Link to post
Share on other sites

The information you highlighted as not normal - what is all that in laymans terms?

 

Thinking to myself, I wonder if that explains the strange computer name and or strange credentials in control panel.  I have started making a list of settings and or programs  I normally use frequently that have changed or exibiting bad behaviour.  I wont post them to you as there is a good chance you already know about them as you are an expert tech person.  If and when you would like to know I will post them here.  I suspect that any trouble shooting may even take care of these conerns. Which, at the moment I am quite concerend, and I am acting needlessly paranoid.  LOL

Share this post


Link to post
Share on other sites

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

S3 MessagingService; C:\Windows\System32\MessagingService.dll [52736 2015-10-30] (Microsoft Corporation)
S3 MessagingService_26f19; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
S3 MessagingService_26f19; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 MessagingService_2b1d3; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 MessagingService_2b1d3; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 MessagingService_2c0d7; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 MessagingService_2c0d7; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 MessagingService_2e8fb; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 MessagingService_2e8fb; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 MessagingService_30e32; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 MessagingService_30e32; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 MessagingService_3e0f6; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 MessagingService_3e0f6; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 MessagingService_6091b; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 MessagingService_6091b; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 MessagingService_74e2c; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 MessagingService_74e2c; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 MessagingService_89e3a2; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 MessagingService_89e3a2; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
R2 OneSyncSvc_26f19; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
R2 OneSyncSvc_26f19; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_2b1d3; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_2b1d3; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_2c0d7; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_2c0d7; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_2e8fb; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_2e8fb; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_30e32; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_30e32; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_3e0f6; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_3e0f6; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_6091b; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_6091b; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_74e2c; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_74e2c; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_89e3a2; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U2 OneSyncSvc_89e3a2; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
R3 PimIndexMaintenanceSvc_26f19; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
R3 PimIndexMaintenanceSvc_26f19; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_2b1d3; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_2b1d3; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_2c0d7; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_2c0d7; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_2e8fb; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_2e8fb; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_30e32; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_30e32; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_3e0f6; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_3e0f6; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_6091b; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_6091b; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_74e2c; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_74e2c; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_89e3a2; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 PimIndexMaintenanceSvc_89e3a2; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
R3 UnistoreSvc_26f19; C:\WINDOWS\System32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
R3 UnistoreSvc_26f19; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_2b1d3; C:\WINDOWS\System32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_2b1d3; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_2c0d7; C:\WINDOWS\System32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_2c0d7; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_2e8fb; C:\WINDOWS\System32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_2e8fb; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_30e32; C:\WINDOWS\System32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_30e32; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_3e0f6; C:\WINDOWS\System32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_3e0f6; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_6091b; C:\WINDOWS\System32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_6091b; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_74e2c; C:\WINDOWS\System32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_74e2c; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_89e3a2; C:\WINDOWS\System32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UnistoreSvc_89e3a2; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
R3 UserDataSvc_26f19; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
R3 UserDataSvc_26f19; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_2b1d3; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_2b1d3; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_2c0d7; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_2c0d7; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_2e8fb; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_2e8fb; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_30e32; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_30e32; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_3e0f6; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_3e0f6; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_6091b; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_6091b; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_74e2c; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_74e2c; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_89e3a2; C:\WINDOWS\system32\svchost.exe [43944 2015-10-30] (Microsoft Corporation)
U3 UserDataSvc_89e3a2; C:\WINDOWS\SysWOW64\svchost.exe [37256 2015-10-30] (Microsoft Corporation)
AlternateDataStreams: C:\Program Files\ATI Technologies:Win32App_1
AlternateDataStreams: C:\Program Files\Emsisoft Anti-Malware:Win32App_1
AlternateDataStreams: C:\Program Files\MiniTool Partition Wizard Free 9.1:Win32App_1
AlternateDataStreams: C:\Program Files (x86)\ATI Technologies:Win32App_1
AlternateDataStreams: C:\Program Files (x86)\Malwarebytes Anti-Malware:Win32App_1
AlternateDataStreams: C:\Program Files (x86)\Mozilla Firefox:Win32App_1
AlternateDataStreams: C:\Program Files (x86)\Zemana AntiLogger Free:Win32App_1
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running?

Share this post


Link to post
Share on other sites

So how is it running? ...   

 

1)  I noticed on the FRBR reports there are many profiles.  Is this normal?

 

2)  Emsisoft is still working like a charm on surf protection.  I love this feature.

 

4)  I sill have partitions on my hard drive that I didn't make, that I tried to format and now have storage on them that I cannot see.

 

5)  I was finally able to use the behaviour blocker feature to capture that rundll32.exe that kept flickering.  I asked for it to be blocked and now:

 

     a)  Number pad is working as good as new.

     b)  the working in the back ground annoying mouse pointer has stopped running.

     c)  The screen freezinng and loss of mouse or track pad funtion that required a hard boot has also stopped.

     d)  when it is unblocked the background pointer indicator runs almost non stop, and the computer behaves poorly.

 

6)  The scans do not include this run32dll.exe being blocked, however It is very difficut and annoying to use the computer while the file is being fully trusted and white listed by Emsisoft by default.

    

7)  FF is still closing down when used in regular mode, I need to use the private mode.

 

8)  This particular line I notice in the FRST logs, was addressed in previous malware subbmissions on the emsi forums and was determined to be a 'false positive'.  I am bringing ths to your attention only because It is on the report and perhaps there is still a problem.  Or  not.  I do not know.  I figure it is better to mention it than not to mention it.

 

HKU\S-1-5-21-1252109065-3782222669-2188073236-1001\...\StartupApproved\Run: => "RESTART_STICKY_NOTES"

 

8)  Using the edge browser I find that a lot of the websites that I want to go to are highlighted as malicious.  There is no opportunity to "copy the link" and have virust total look at it to test the URL first, I can only do it after the page has loaded in the browser, so I have stopped using edge and went back to private mode in FF, as I can at least have the links checked by virus total before I click on them.EEK scan_151201-142358.txtAddition.txtFRST.txt

Share this post


Link to post
Share on other sites

I forgot:  I am unable to post programs to the task bar like notepad.  I am unable to remove some of the apps I do not use, that I have been able to remove in the past.

Share this post


Link to post
Share on other sites

Kevin, I am looking for forums on santizing external hard drives and flash drives.  I know emsisoft automatically scans things when they are newly attached to my laptop.  I am not sure why I am getting problems on my laptop (aka how I screwed it up LOL) and I am nervous of creating another problem by pulling pictures etc from old backups and files saved on flash.  Can I start another thread in the forums for this or should I wait until we are done here?

Share this post


Link to post
Share on other sites

1)  I noticed on the FRBR reports there are many profiles.  Is this normal?

Yes, this is normal.

4)  I sill have partitions on my hard drive that I didn't make, that I tried to format and now have storage on them that I cannot see.

Most OEM computers come with 1 or more hidden partitions.

 

6)  The scans do not include this run32dll.exe being blocked, however It is very difficut and annoying to use the computer while the file is being fully trusted and white listed by Emsisoft by default.

You should not be blocking run32dll.exe, it is responsible for loading and running DLL files.

    

7)  FF is still closing down when used in regular mode, I need to use the private mode.

Uninstall and reinstall Firefox.

 

8)  This particular line I notice in the FRST logs, was addressed in previous malware subbmissions on the emsi forums and was determined to be a 'false positive'.  I am bringing ths to your attention only because It is on the report and perhaps there is still a problem.  Or  not.  I do not know.  I figure it is better to mention it than not to mention it.

 

HKU\S-1-5-21-1252109065-3782222669-2188073236-1001\...\StartupApproved\Run: => "RESTART_STICKY_NOTES"

This is fine.

 

8)  Using the edge browser I find that a lot of the websites that I want to go to are highlighted as malicious.  There is no opportunity to "copy the link" and have virust total look at it to test the URL first, I can only do it after the page has loaded in the browser, so I have stopped using edge and went back to private mode in FF, as I can at least have the links checked by virus total before I click on them.

Edge is an unfinished product and lacks many features of a mature browser. I don't even use it.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

AlternateShell: 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot => "AlternateShell"=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\AutorunsDisabled => "AlternateShell"="cmd.exe"
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

Fixlog 1Dec2015.txt

 

 

Read and noted all the responses to my editorial.  LOL.  I will uninstall and re-install FF in the am.  I have already done this a few times, but not since you have been investigating and tweaking.  So I'll update you on that as soon as I do it.

Share this post


Link to post
Share on other sites

Kevin, I am looking for forums on santizing external hard drives and flash drives.  I know emsisoft automatically scans things when they are newly attached to my laptop.  I am not sure why I am getting problems on my laptop (aka how I screwed it up LOL) and I am nervous of creating another problem by pulling pictures etc from old backups and files saved on flash.  Can I start another thread in the forums for this or should I wait until we are done here?

I do not recommend wiping hard drives with OEM versions of Windows. Doing so will wipe the entire drive and the contents of all partitions. This would make restoring the computer impossible without having a physical copy of the OEM installation media. The best approach to reinstalling Windows from an OEM recovery partition is to have the Windows Installer, remove the existing Windows Partition and create a new partition to install Windows.

Share this post


Link to post
Share on other sites

Okay.  They are external drives and flash drives which I use for back up of data.  I didn't know I could create a partition on a flash drive.  I learned something new.

 

FF was uninstalled using the control panel and then I reinstalled it.  There is no change in behaviour.

 

All freezing and mouse and trackpad problems have stopped. :)

 

Redirects have gone down a lot, I still get some but I think they are ligitimate.  But I am still using FF private, I don't know if the problem is solved using the regular mode of FF.

 

Overall the computer is running a lot better than it was.

Share this post


Link to post
Share on other sites

Let's try this:

Download RogueKiller from one of the following links and save it to your desktop:

  • Link 1
  • Link 2
    • Close all programs and disconnect any USB or external drives before running the tool.
    • Double-click RogueKiller.exe to run the tool (Vista or 7 users: Right-click and select Run As Administrator).
    • Once the Prescan has finished, click Scan.
    • Once the Status box shows "Scan Finished", just close the program. <--Don't fix anything!
    • Attach the RogueKiller report to your next reply.
      • The log can also be found on your desktop labeled (RKreport[X]_S_xxdatexx_xtimex)
      • The highest number of [X], is the most recent Scan

Share this post


Link to post
Share on other sites

Close all programs and disconnect any USB or external drives before running the tool.

  • Double-click RogueKiller.exe to run the tool again (Vista or 7 users: Right-click and select Run As Administrator).
  • Once the Prescan has finished, click Scan.
  • Once the Status box shows "Scan Finished".
    • Click the Registry Tab and select the following items:
      [PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-1252109065-3782222669-2188073236-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found

      [PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-1252109065-3782222669-2188073236-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve -> Found

    • Click the Delete button.
  • Attach the RogueKiller report to your next reply.
    • The log can also be found on your desktop labeled (RKreport[X]_D_xxdatexx_xtimex)
    • The highest number of [X], is the most recent Delete

Share this post


Link to post
Share on other sites

Read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Double-click on TDSSKiller.exe to run the application.

    tdss1.png

  • Click Change parameters

    settings20121003115955.png

  • Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK

    tdss3.png

  • Click on the Start Scan button to begin the scan and wait for it to finish.

    NOTE: Do not use the computer during the scan!

  • During the scan it will look similar to the image below:

    tdss4.jpg

  • When it finishes, you will either see a report that no threats were found like below:

    tdss5.jpg

    If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.

  • If any infection or suspected items are found, you will see a window similar to below:

    tdss7.jpg

    • If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these later. They may not be issues at all.
    • If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
    • If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
    • Make sure that Cure is selected. Important! - If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed to do so.
  • Click Continue to apply selected actions.
  • A reboot may be required to complete disinfection. A window like the below will appear:

    tdss6.jpg

    Reboot immediately if TDSSKiller states that one is needed.

  • Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run.
  • Attach this log to your next reply.

Share this post


Link to post
Share on other sites

Momadice,

The TDSSKiller log looks fine.

Your logs are not showing anything to explain what may be causing the problem with Firefox.

Share this post


Link to post
Share on other sites

Okay, I will give those instructions a try.  I really thought I had deleted the profile as well in previous attempts to resolve the installation.  I have done this many times before with success, I make sure that nothing is migrated from other browsers when it starts up, and the profile is always new, meaning I have to go in and re install any add-on's that I like to use as well.  I have not had this particular problem before.  Let's see what happens.....

Share this post


Link to post
Share on other sites

Sorry Kevin, I've been away a couple days

 

I am just going to follow the firefox information now. 

 

Stiill crashes when I try to open a new tab

 

 

I have noticed that the last several Flash updates have created performance problems with Firefox. After the reinstal of FF what scans would you like?

Share this post


Link to post
Share on other sites

I've been browseing various forums for FF.  I used the about:config - I simply do not understand whats normal and what is not.  I thought it would just be about FF - but there are a lot references to Chrome in there.

 

Should I be organizing a 'drop-laptop-from-the-nearest-balcony'  party yet?  LOL

 

I just tried to uninstall and remove the mozilla folders etc in safe mode as was suggested in part of the instructions from the above link.  It still has not solved the problem.

 

I would like to note that the profile mozilla folder was not where it was suggested to look for it.  I did a whole pc search for Mozilla and then again for FF, and deleted what I was allowed to delete.  I was denied access to some folders.  It took some time for the search to finish, quite a bit of time, I was hopeful this time around.  I downloaded FF again, and reinstalled it, and it is still not working.  Only private mode works.

 

The more I start looking at files the more po'd I get because I don't know if they are problems or not.  I do want to mention there were some files dated from July 2015.  I have done three full format at least since July.  The last one being about a week old before hooking up in this forum.  It seems odd to me to still have FF files from July, but I don't know what I am doing, so I thought I would mention it just in case it's a clue.

 

Anyway, FF problem is not fixed yet.  :(

Share this post


Link to post
Share on other sites

Momadice,

I am going to have your reset some areas of Windows to their defaults.

Download Windows Repair by Tweaking.com to your desktop. Use the direct download link for the Portable version of Windows Repair by Tweaking.com

This tool will need to be run in Safe Mode.

  • Double-click tweaking.com_windows_repair_aio.zip and extract the Tweaking.com - Windows Repair folder to your desktop.
  • Now open this folder and double-click Repair_Windows.exe.
  • Click the Repairs tab on the far right.
  • Click the Start button (bottom right)

    Note: When asked if you would like to create a restore point. It is recommended just in-case something does not go as planned.

  • Click Unselect All
  • Put a checkmark in the following items:
    • Reset Registry Permissions
    • Reset File Permissions
    • Remove Policies Set By Infections
    • Repair Proxy Settings
    • Repair Volume Shadow Copy Service
    Note: Leave everything else unchecked
  • Put a checkmark in Restart System When Finished
  • Now click the Start button (bottom right)

Share this post


Link to post
Share on other sites

I am on this today.  Should be done soon.

 

I was just going over the logs from emsisoft as it was doing it's scheduled scan.  The behaviour blocker for firefox I have set up to monitor.  Well it is being monitored.and it is full of bad detections such as blocking code injectors, remote control, trojen droppers etc etc.

 

Okay I am going to do the above request

Share this post


Link to post
Share on other sites

You may end up having to take ownership of the files and folders that won't delete. We'll cross that bridge when we come to it.

Share this post


Link to post
Share on other sites

:mad: Edge browser wasn't letting me anywere near this site.

 

<_< Firefox is still shutting down everytime I use the add-a-tab-+.  I am using FF to post this reply though.

 

:) I performed all the requests in the tweaking troubleshooting guide above.

 

:wub: So?  What can I do next?  I am actually starting to enjoy the process.  LOL.  I am learning a lot.

Share this post


Link to post
Share on other sites

OK, completely uninstall Firefox.

Delete all folders left behind from the uninstall.

If the folders and files will not delete, you will need to take ownership.

Copy the contents of the below quote box to Notepad; Save As InstallTakeOwnership.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\*\shell\runas]
@="Take Ownership"
"NoWorkingDirectory"=""

[HKEY_CLASSES_ROOT\*\shell\runas\command]
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"

[HKEY_CLASSES_ROOT\Directory\shell\runas]
@="Take Ownership"
"NoWorkingDirectory"=""

[HKEY_CLASSES_ROOT\Directory\shell\runas\command]
@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
Close Notepad.

Locate InstallTakeOwnership.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Restart the computer.

In Explorer left-click on the folder in the file tree on the left pane, and select "Take Ownership" from the context menu. You should be able to delete the folder.

After all, of Firefox and any remnants have been removed, you can install Firefox again.

If Firefox still misbehaves, then I have no idea what the issue is.

Share this post


Link to post
Share on other sites

Well, some things happened.

 

I uninstalled FF using control panel.  Then I did a pc search for anything 'mozilla' and 'firefox'.

 

I have to go use a different computer, edge is not letting me type on this site atm.

Share this post


Link to post
Share on other sites

:) I uninstalled FF.

 

I searched for anything with mozilla or FF in it.

I tried to make sure I did not have any hidden files as well.

I deleted all I could find.  Not that there were a lot, having deleted stuff already before this attempt.

 

:)  One file wouldn't let me delete it, so I used take ownership and then deleted it.  Thank you for that.

 

 

I went to reinstall FF - and things got a little weird.                                                                                                                                                                                                                                         

 

I right clicked on the FF executable and selected  run-as-an-administrator to reinstall the program.  Emsi gave me a warning that the program (FF executable) had changed and stated that it may be faked.  It gave me an option of choosing a 'rule' (as it was part of a rule in the past) and I chose the option to let Emsi treat the FF dot exe file like a brand new program that was never there before........then Emsi immediately blocked the program with a  :excl: ​huge warning all in red stating the program was dangerous spyware trying to install a backdoor trojan type thing.  Emsi stopped it and quarantine it.  I am not sure where it went in the Emsi logs, however I manually put the .exe file in the recycle bin.  I am a little surprised, and it sure did take a lot of work on your end to expose that.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.