44 replies to this topic

[CoolCat]

ISP is Mediacom Cable. 

[LiquidTension]

Okay, thank you. 
 
Please do the following. 
Let me know how the computer is performing afterwards. 
 
STEP 1
 RogueKiller Fix

• Close any running programmes.
• Right-Click RogueKiller.exe and select  Run as administrator to run the programme.
• Allow the Prescan to complete.
• A browser window may open. Close the browser window.
• Click . 
• Upon completion, do the following:
   
• Click  and place a checkmark next to the following items. Ensure any other items are unchecked.
  • [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 97.64.183.164 97.64.209.37 [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Found
  • [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 97.64.183.164 97.64.209.37 [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Found
  • [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 97.64.183.164 97.64.209.37 [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Found
  • [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C3899F35-22AA-4ECC-A690-A634B3D89B8E} | DhcpNameServer : 97.64.183.164 97.64.209.37 [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Found
  • [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{C3899F35-22AA-4ECC-A690-A634B3D89B8E} | DhcpNameServer : 97.64.183.164 97.64.209.37 [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Found
  • [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{C3899F35-22AA-4ECC-A690-A634B3D89B8E} | DhcpNameServer : 97.64.183.164 97.64.209.37 [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Found
• Click .
   
• Click .
• Copy the contents of the log and paste in your next reply.
   

STEP 2
 Emsisoft Emergency Kit (Portable)

• Please download Emsisoft Emergency Kit and save the file to a your Desktop.
• Double-click EmsisoftEmergencyKit.exe.
• Click Extract.
• Upon completion, double-click the Emsisoft Emergency Kit shortcut on your Desktop to start the programme.
• Click Yes to update the programme definitions.
• Click Yes to detect Potentially Unwanted Programs (PUP's).
• Click Scan now.
• Select Full Scan and click Scan.
• Close any High Risk notification screen that may appear.
• When the scan is finished click Quarantine selected objects if malicious objects were found.
• Click View Report, and open the most recent log. 
• Copy the contents of the log and paste in your next reply.
   

STEP 3
 ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

• Please download ESET Online Scan and save the file to your Desktop.
• Temporarily disable your anti-virus software. For instructions, please refer to the following link.
• Double-click esetsmartinstaller_enu.exe to run the programme. 
• Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
• Agree to the Terms of Use once more and click Start. Allow components to download.
• Place a checkmark next to Enable detection of potentially unwanted applications.
• Click Hide advanced settings. Place a checkmark next to:
  • Scan archives
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
• Ensure Remove found threats is unchecked.
• Click Start.
• Wait for the scan to finish. Please be patient as this can take some time.
• Upon completion, click . If no threats were found, skip the next two bullet points. 
• Click  and save the file to your Desktop, naming it something such as "MyEsetScan".
• Push the Back button.
• Place a checkmark next to  and click .
• Re-enable your anti-virus software.
• Copy the contents of the log and paste in your next reply.
   

======================================================
 
STEP 4
 Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• RKreport.txt
• Emsisoft log
• ESET Online Scan log

[CoolCat]

There is more to these registry entries than RogueKiller is showing in the program where i can click the ticker boxes.  Nowhere does it say [(Unknown Country?) (XX)][(Unknown Country?) (XX)]  -> Found.  Should I continue and click those, anyway? This is very confusing because the registry keys are so long, I am having to scroll back and forth and back and forth, trying to discern which is which.  i sure don't want to delete the wrong ones!

[LiquidTension]

Hi Kittie, 
 
Look for the lines that have the following numbers: 97.64.183.164        97.64.209.37
Ensure these lines have a checkmark next to them. 
 
The other lines should not have a checkmark.

[CoolCat]

OK!

[CoolCat]

RogueKiller V10.1.0.0 (x64) [Dec 11 2014] by Adlice 

 

Software

mail : http://www.adlice.com/contact/

Feedback : http://forum.adlice.com

Website : 

 

http://www.adlice.co...es/roguekiller/

Blog : http://www.adlice.com

 

Operating System : Windows 7 (6.1.7601 Service Pack 

 

1) 64 bits version

Started in : Normal mode

User : Chris Blaze [Administrator]

Mode : Delete -- Date : 12/13/2014  23:24:26

 

¤¤¤ Processes : 0 ¤¤¤

 

¤¤¤ Registry : 23 ¤¤¤

[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software

 

\Microsoft\Internet Explorer\Main | Start Page : 

 

http://www.microsoft...sapi/redir.dll?

 

prd=ie&ar=msnhome  -> Not selected

[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software

 

\Microsoft\Internet Explorer\Main | Start Page : 

 

http://www.microsoft...sapi/redir.dll?

 

prd=ie&ar=msnhome  -> Not selected

[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software

 

\Microsoft\Internet Explorer\Main | Start Page : 

 

http://www.microsoft...sapi/redir.dll?

 

prd=ie&ar=msnhome  -> Not selected

[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software

 

\Microsoft\Internet Explorer\Main | Start Page : 

 

http://www.microsoft...sapi/redir.dll?

 

prd=ie&ar=msnhome  -> Not selected

[PUM.SearchPage] (X64) HKEY_USERS\.DEFAULT

 

\Software\Microsoft\Internet Explorer\Main | Search 

 

Page : http://www.microsoft...sapi/redir.dll?

 

prd=ie&ar=iesearch  -> Replaced 

 

(http://go.microsoft....k/?LinkId=54896)

[PUM.SearchPage] (X86) HKEY_USERS\.DEFAULT

 

\Software\Microsoft\Internet Explorer\Main | Search 

 

Page : http://www.microsoft...sapi/redir.dll?

 

prd=ie&ar=iesearch  -> Not selected

[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-

 

1437231282-1839955917-1510631889-1000\Software

 

\Microsoft\Internet Explorer\Main | Search Page : 

 

http://www.microsoft...sapi/redir.dll?

 

prd=ie&ar=iesearch  -> Not selected

[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-

 

1437231282-1839955917-1510631889-1000\Software

 

\Microsoft\Internet Explorer\Main | Search Page : 

 

http://www.microsoft...sapi/redir.dll?

 

prd=ie&ar=iesearch  -> Not selected

[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-

 

18\Software\Microsoft\Internet Explorer\Main | 

 

Search Page : 

 

http://www.microsoft...sapi/redir.dll?

 

prd=ie&ar=iesearch  -> Not selected

[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-

 

18\Software\Microsoft\Internet Explorer\Main | 

 

Search Page : 

 

http://www.microsoft...sapi/redir.dll?

 

prd=ie&ar=iesearch  -> Not selected

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System

 

\CurrentControlSet\Services\Tcpip\Parameters | 

 

DhcpNameServer : 97.64.183.164 97.64.209.37 

 

[(Unknown Country?) (XX)][(Unknown Country?) (XX)]  

 

-> Replaced ()

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System

 

\ControlSet001\Services\Tcpip\Parameters | 

 

DhcpNameServer : 97.64.183.164 97.64.209.37 

 

[(Unknown Country?) (XX)][(Unknown Country?) (XX)]  

 

-> Replaced ()

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System

 

\ControlSet002\Services\Tcpip\Parameters | 

 

DhcpNameServer : 97.64.183.164 97.64.209.37 

 

[(Unknown Country?) (XX)][(Unknown Country?) (XX)]  

 

-> Replaced ()

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System

 

\CurrentControlSet\Services\Tcpip\Parameters

 

\Interfaces\{3FA550CF-FFED-4903-85BF-7DE20E6ED189} 

 

| DhcpNameServer : 209.18.47.61 209.18.47.62 

 

[UNITED STATES (US)][UNITED STATES (US)]  -> Not 

 

selected

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System

 

\CurrentControlSet\Services\Tcpip\Parameters

 

\Interfaces\{C3899F35-22AA-4ECC-A690-A634B3D89B8E} 

 

| DhcpNameServer : 97.64.183.164 97.64.209.37 

 

[(Unknown Country?) (XX)][(Unknown Country?) (XX)]  

 

-> Replaced ()

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System

 

\ControlSet001\Services\Tcpip\Parameters

 

\Interfaces\{3FA550CF-FFED-4903-85BF-7DE20E6ED189} 

 

| DhcpNameServer : 209.18.47.61 209.18.47.62 

 

[UNITED STATES (US)][UNITED STATES (US)]  -> Not 

 

selected

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System

 

\ControlSet001\Services\Tcpip\Parameters

 

\Interfaces\{C3899F35-22AA-4ECC-A690-A634B3D89B8E} 

 

| DhcpNameServer : 97.64.183.164 97.64.209.37 

 

[(Unknown Country?) (XX)][(Unknown Country?) (XX)]  

 

-> Replaced ()

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System

 

\ControlSet002\Services\Tcpip\Parameters

 

\Interfaces\{3FA550CF-FFED-4903-85BF-7DE20E6ED189} 

 

| DhcpNameServer : 209.18.47.61 209.18.47.62 

 

[UNITED STATES (US)][UNITED STATES (US)]  -> Not 

 

selected

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System

 

\ControlSet002\Services\Tcpip\Parameters

 

\Interfaces\{C3899F35-22AA-4ECC-A690-A634B3D89B8E} 

 

| DhcpNameServer : 97.64.183.164 97.64.209.37 

 

[(Unknown Country?) (XX)][(Unknown Country?) (XX)]  

 

-> Not selected

[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE

 

\Software\Microsoft\Windows\CurrentVersion

 

\Explorer\HideDesktopIcons\NewStartPanel | 

 

{20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not 

 

selected

[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE

 

\Software\Microsoft\Windows\CurrentVersion

 

\Explorer\HideDesktopIcons\NewStartPanel | 

 

{59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not 

 

selected

[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE

 

\Software\Microsoft\Windows\CurrentVersion

 

\Explorer\HideDesktopIcons\NewStartPanel | 

 

{20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not 

 

selected

[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE

 

\Software\Microsoft\Windows\CurrentVersion

 

\Explorer\HideDesktopIcons\NewStartPanel | 

 

{59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not 

 

selected

 

¤¤¤ Tasks : 0 ¤¤¤

 

¤¤¤ Files : 0 ¤¤¤

 

¤¤¤ Hosts File : 1 ¤¤¤

[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1   

 

    localhost

 

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ MBR Check : ¤¤¤

+++++ PhysicalDrive0: WDC WD5000BPVT-22HXZT3 ATA 

 

Device +++++

--- User ---

[MBR] 838a41500d0039179a992af28e58776f

[BSP] bafed0fca048e0219a515af11be612a6 : Windows 

 

Vista/7/8 MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset 

 

(sectors): 2048 | Size: 16384 MB

1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 

 

33556480 | Size: 100 MB

2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 

 

33761280 | Size: 460454 MB

User = LL1 ... OK

User = LL2 ... OK

 

 

============================================

RKreport_SCN_12132014_220054.log - 

 

RKreport_SCN_12132014_225955.log

[CoolCat]

Emsisoft Emergency Kit - Version 9.0

Last update: N/A

User account: CHELSEA\Chris Blaze

 

Scan settings:

 

Scan type: Full Scan

Objects: Rootkits, Memory, Traces, C:\

 

Detect PUPs: On

Scan archives: On

ADS Scan: On

File extension filter: Off

Advanced caching: On

Direct disk access: Off

 

Scan start: 12/13/2014 11:42:44 PM

Value: HKEY_USERS\S-1-5-21-1437231282-1839955917-

 

1510631889-1000\SOFTWARE\MICROSOFT\WINDOWS

 

\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR

 

detected: Setting.DisableTaskMgr (A)

Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT

 

\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> 

 

DISABLEREGISTRYTOOLS detected: 

 

Setting.DisableRegistryTools (A)

Value: HKEY_USERS\S-1-5-21-1437231282-1839955917-

 

1510631889-1000\SOFTWARE\MICROSOFT\WINDOWS

 

\CURRENTVERSION\POLICIES\SYSTEM -> 

 

DISABLEREGISTRYTOOLS detected: 

 

Setting.DisableRegistryTools (A)

Key: HKEY_USERS\.DEFAULT\SOFTWARE\APPDATALOW

 

\{1146AC44-2F03-4431-B4FD-889BC837521F}

 

detected: Application.Win32.InstallAd (A)

Key: HKEY_USERS\S-1-5-18\SOFTWARE\APPDATALOW

 

\{1146AC44-2F03-4431-B4FD-889BC837521F}

 

detected: Application.Win32.InstallAd (A)

 

Scanned 227983

Found 5

 

Scan end: 12/14/2014 12:55:27 AM

Scan time: 1:12:43

[CoolCat]

C:\FRST\Quarantine\C\Users\Chris Blaze\AppData\Local\Temp\doxillionsetup.exe.xBAD a variant of Win32/Toolbar.Conduit.H potentially unwanted application

C:\FRST\Quarantine\C\Users\Chris Blaze\AppData\Local\Temp\vpsetup.exe.xBAD a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application

C:\Program Files (x86)\NCH Software\Doxillion\doxillion.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application

C:\Program Files (x86)\NCH Software\Doxillion\doxillionsetup_v2.10.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application

C:\Program Files (x86)\NCH Software\Switch\switch.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application

C:\Program Files (x86)\NCH Software\Switch\switchsetup_v4.27.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application

C:\Program Files (x86)\NCH Software\Switch\uninst.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application

C:\Program Files (x86)\NCH Software\VideoPad\videopad.exe a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application

C:\Program Files (x86)\NCH Software\VideoPad\videopadsetup_v3.14.exe a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application

C:\Program Files (x86)\NCH Software\WavePad\uninst.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application

C:\Program Files (x86)\NCH Software\WavePad\wavepad.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application

C:\Program Files (x86)\NCH Software\WavePad\wpsetup_v5.13.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application

[LiquidTension]

Hi Kittie, 

 

Those logs look good. 

 

How is your computer performing? 

[CoolCat]

Hi Adam,

 

I just got online so I am not sure.  The computer seems to be dragging a little but I had dumped the cache and am loading about 5 pages or tabs at the same time.  It may take a minute for everything to get up to speed. 

 

The stuff ESET found, I did not delete, I just created a log of it to post on here.  Should I delete that stuff?

[LiquidTension]

Hi Kittie, 
 

The stuff ESET found, I did not delete, I just created a log of it to post on here.  Should I delete that stuff?

The items flagged by ESET are either files we've already removed, or files associated with software installed on your computer. 
There are several NCH Software programmes installed; I would suggest uninstalling the programmes if you do not use them. 
 
Lets update your vulnerable software to reduce the risk of infection. 
 
STEP 1
 Update Outdated Software
Outdated software contain security risks that must be patched. Please download and install the latest version of the programmes below.

•  Adobe Air
•  Adobe Flash Player (uncheck the "Optional Offer")
•  Adobe Reader (uncheck the "Optional Offer")
•  Follow these instructions to check for and download the latest Windows Updates.
   

STEP 2
 Remove Outdated Software

• Press the Windows Key  + r on your keyboard at the same time. Type appwiz.cpl and click OK.
• Search for the following programmes, right-click and click Uninstall one at a time.
• Note: The programmes below may not be present. If this is the case, please skip to the next step.
  • Adobe Reader X (10.1.13)
• Follow the prompts, and reboot if necessary.
   

STEP 3
 Security Check

• Please download SecurityCheck and save the file to your Desktop.
• Double-click SecurityCheck.exe and follow the onscreen instructions inside the black box.
• A log (checkup.txt) will automatically open on your Desktop.
• Copy the contents of the log and paste in your next reply.
   

======================================================
 
STEP 4
 Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• checkup.txt
• How is your computer performing? Are there any outstanding issues?

[CoolCat]

What is the NCH Software installed on here and what does it do? do you know?

[LiquidTension]

Hi Kittie, 
 
NCH Software is a company who develops audio, video, business, dictation and transcription, graphics, telephony and other utilities. You have the following NCH software installed:

• Doxillion Document Converter
• Switch Sound File Converter
• VideoPad Video Editor
• WavePad Sound Editor
   

------------
 
Lets update your vulnerable software to reduce the risk of reinfection. 
 
STEP 1
 Update Outdated Software
Outdated software contain security risks that must be patched. Please download and install the latest version of the programmes below.

•  Adobe Air
•  Adobe Flash Player (uncheck the "Optional Offer")
•  Adobe Reader (uncheck the "Optional Offer")
•  Follow these instructions to check for and download the latest Windows Updates.
   

STEP 2
 Remove Outdated Software

• Press the Windows Key  + r on your keyboard at the same time. Type appwiz.cpl and click OK.
• Search for the following programmes, right-click and click Uninstall one at a time.
• Note: The programmes below may not be present. If this is the case, please skip to the next step.
  • Adobe Reader X (10.1.13)
• Follow the prompts, and reboot if necessary.
   

STEP 3
 Disable Java in Your Browser
Due to frequent exploits we recommend you disable Java in your browser.
For information on Java vulnerabilities, please read the following article (point #7).

• Click the  Windows Start Button  and type Java Control Panel (or javacpl) in the search bar. 
• Click on the Java Control Panel. Once opened, click the Security tab.
• Deselect the check box for Enable Java content in the browser. This will disable the Java plug-in in the browser. 
• Click Apply. When the  Windows User Account Control (UAC) appears, allow permissions to make the changes. 
• Click OK in the Java Plug-in confirmation window.
• Restart your browser(s) for changes to take effect.
• More information can be found here and here.
   

STEP 4
 Security Check

• Please download SecurityCheck and save the file to your Desktop.
• Double-click SecurityCheck.exe and follow the onscreen instructions inside the black box.
• A log (checkup.txt) will automatically open on your Desktop.
• Copy the contents of the log and paste in your next reply.
   

======================================================
 
STEP 5
 Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• checkup.txt
• How is your computer performing? Are there any outstanding issues?

[CoolCat]

OK, proceeding but so far, I haven't done anything about Flash Player as it appears to be the current version.  I do have the computer set to update Windows on a daily basis if there is anything new.  i get this message on Flash Player. Do I need to download the plug-in as well?

 

 

Your Google Chrome browser already includes Adobe® Flash® Player built-in. Google Chrome will automatically update when new versions of Flash Player are available.

Download the Adobe® Flash® Player system plug-in or view the instructions to enable it.

To learn more about the enhanced support for Flash Player in Chrome, including information for developers, see this TechNote.

 

 

 

[LiquidTension]

Hi Kittie, 

 

No, you don't. As you're using Chrome which comes with a built-in Adobe Flash Player, you don't need the programme installed. 

You can uninstall Flash Player using your Control Panel if you wish.