Windows 7 Repair Help

elron-jethro

elron-jethro

Member
Hey all,

I'm working on a friends laptop, the Windows installation is very broken.

An error occurs on start up, see pic 1.

Windows update cannot run, pic 2.

Windows firewall cannot run, pic 3.

sfc /scannow fails, pic 4.

I know a clean Windows installation would fix it all, but I'm on a short schedule, he needs it back tomorrow for work, though I will do a clean install (no half done jobs here!) when he has the time to give it up for a bit.

Any suggestions to fix this without a reinstall?

Many thanks!

1.PNG 2.PNG 3.PNG 4.PNG
 
johnb35

johnb35

Administrator
Staff member
The first thing I would do is scan the system for malware, I had to deal with this exact same issue the other day on a clients machine. Got most of it worked out though. Run the following.

1.

Please download AdwCleaner by Xplode onto your Desktop.



•Please close all open programs and internet browsers.
•Double click on adwcleaner.exe to run the tool.
•Click on Scan.
•After the scan you will need to click on clean for it to delete the adware.
•Your computer will be rebooted automatically. A text file will open after the restart.
•Please post the content of that logfile in your reply.
•You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

2.

Please download Junkware Removal Tool to your desktop.

•Shutdown your antivirus to avoid any conflicts.
•Very important that you run the tool in this manner:
Right-mouse click JRT.exe and select Run as administrator
Do NOT just double-click it.
•The tool will open and start scanning your system.
•Please be patient as this can take a while to complete.
•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
•Post the contents of JRT.txt in your next message.

3.

Please download Malwarebytes' Anti-Malware and save it to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version. Please keep updating until it says you have the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • A log will be saved automatically which you can access by clicking on the Logs tab within Malwarebytes' Anti-Malware

If for some reason Malwarebytes will not install or run please download and run Rkill.scr, Rkill.exe, or Rkill.com. If you are still having issues running rkill then try downloading these renamed versions of the same program.

EXPLORER.EXE
IEXPLORE.EXE
USERINIT.EXE
WINLOGON.EXE

But DO NOT reboot the system and then try installing or running Malwarebytes. If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it. Once a log appears on the screen, you can try running malwarebytes or downloading other programs.

Please post the log that Malwarebytes displays on your screen.

4.

Download OTL to your Desktop


•Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
•Click on Minimal Output at the top
•Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
◦When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Just post the OTL.txt file in your reply.

then post the logs from the following 4 programs.

1. Adwcleaner
2. Junkware removal tool
3. Malwarebytes
4. OTL
 
elron-jethro

elron-jethro

Member
Files requested are attached.

Many thanks.
 

Attachments

  • AdwCleaner[C1].txt
    8.2 KB · Views: 2
  • malwarebytes.txt
    1 KB · Views: 1
  • JRT.txt
    3.2 KB · Views: 3
  • OTL.Txt
    136 KB · Views: 1
johnb35

johnb35

Administrator
Staff member
This machine has been extremely infected. I need you to run the following program and post the log.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
  • Download this file here :

    Combofix

  • When the page loads click on the blue combofix download link next to the BleepingComputer Mirror.
  • Save the file to your windows desktop. The combofix icon will look like this when it has downloaded to your desktop.

    cf-icon.jpg
  • We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:

  • Close all open Windows including this one.
  • Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found here.
    Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.
  • Please click on I agree on the disclaimer window.
  • ComboFix will now install itself on to your computer. When it is done, a blue screen will appear as shown below.

    cf-preparing.jpg

  • ComboFix is now preparing to run. When it has finished ComboFix will automatically attempt to create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.

    erunt.jpg

  • Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:

    recovery-console-prompt.jpg

  • At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console.
  • Please click on yes in the next window to continue scanning for malware.
  • ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.
  • ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
  • While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.

    still-scanning-clockchanges.jpg

  • When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
  • This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
  • When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you.
  • Now you just click on the edit menu and click on select all, then click on the edit menu again and click on copy. Then come to the forum in your reply and right click on your mouse and click on paste.

If for some reason, if you try to run a program or open a file and you get an error message saying "illegal operation attempted on a registry key that has been marked for deletion", please just reboot your pc and you'll be fine.




I also need you to post a log that combofix produces but doesn't automatically show you. Please navigate to C:\Qoobox and in that folder will be a file named add-remove programs.txt Open that file and copy and paste the contents into your next reply.


In your next reply please post:

The combofix log
The add-remove programs file
 
Okedokey

Okedokey

Well-Known Member
Firstly, go to C:\Windows\SoftwareDistribution\Download and delete everything from there.

Then go here and run the fix tool.

Restart.

Then in command prompt (as admin) type sfc /scannow

Let it finish.

Restart.

Try windows update again.

Then follow John's instructions to ensure there is nothing else going on.
 
johnb35

johnb35

Administrator
Staff member
Oke,

The first thing that needs to be done is finish removing all infections then we can work on any other issues with the system. Infections cause all sorts of issues with computers. Trust me, I've dealt with them.
 
elron-jethro

elron-jethro

Member
Hi John, please see the attached.

Many many thanks for your help.
 

Attachments

  • Add-Remove Programs.txt
    7.1 KB · Views: 1
  • combofixlog.txt
    34.4 KB · Views: 2
johnb35

johnb35

Administrator
Staff member
Ok a few things to do.

1. Uninstall this old version of java.

Java(TM) 6 Update 24

2. According to Combofix you have norton 360 on that as well as AVira antivirus, however, only avira shows up in the installed program list. What program is actually being used?

3. Please download and run tdsskiller and post the log. Just copy and past the log inside your reply, no need to attach it.

Please download and run TDSSkiller

When the program opens, Click on the change parameters button, click on the detect tdlfs file system, click ok, click on the start scan button.

tdssstartscan_zps32a151cd.jpg


TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.

2663-2-eng.png


To remove the infections simply click on the Continue button and TDSSKiller will attempt to clean them or remove them.

After trying to clean them it will pop up with the results of the scan and its actions.

2663_3_en.png


Please reboot the system if asked to do so.

After running there will be a log that will be located at the root of your c:\ drive labeled tdsskiller with a series of numbers after it example, C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt

Please open the log and copy and paste it back here.

4. Rerun OTL again and give me the new log. Combofix removed some of the bad entries in the first otl log.
 
elron-jethro

elron-jethro

Member
Hi John!

As before, thank you so much.

Sorry for the slow reply.

Initial notes, Windows Firewall now seems to be functioning.

1: Java 6.24 uninstalled

2: Norton 360 was both expired and had errors, it was uninstalled.
This left Avira, which I cant say I trust fully, but it seems to be working.
 
elron-jethro

elron-jethro

Member
Have to have these as attachments, sorry, they go over the character limit.
 

Attachments

  • OTL.Txt
    134.3 KB · Views: 2
  • TDSSKiller.3.1.0.5_10.09.2015_22.25.50_log.txt
    217.9 KB · Views: 1
johnb35

johnb35

Administrator
Staff member
First off, an OTL fix.

Please copy and paste the following into the custom scan/fixes box at the bottom of OTL and then click on run fix up top.

Code: 
:OTL
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O4 - HKLM..\Run: []  File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

[emptyjava]
[emptytemp]
[reboot]

Secondly, you have some strange named folders in your appdata/roaming folder. Need you to run Roguekiller.

  • Download RogueKiller on your desktop. < Click on the word Roguekiller to get the download link.
  • Quit all running programs
  • Wait until the pre-scan is completed.
  • Accept the EULA and click Scan.
  • After the scan is completed, click on the report button. When the page pops up, click export txt. Save the file and then copy and paste it back here. Leave roguekiller open until I reply back
 
elron-jethro

elron-jethro

Member
The OTL log:
All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
File ptyjava] not found.
File ptytemp] not found.
File boot] not found.

OTL by OldTimer - Version 3.2.69.0 log created on 09112015_232322

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
 
elron-jethro

elron-jethro

Member
The Rogue Killer log:

RogueKiller V10.10.4.0 [Sep 4 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Bob [Administrator]
Started from : C:\Users\Bob\Downloads\RogueKiller.exe
Mode : Scan -- Date : 09/12/2015 00:23:02

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 9 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 194.168.4.100 194.168.8.100 ([-][UNITED KINGDOM (GB)]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 194.168.4.100 194.168.8.100 ([-][UNITED KINGDOM (GB)]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 194.168.4.100 194.168.8.100 ([-][UNITED KINGDOM (GB)]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{31E25500-1D0F-4DFA-9003-1E3535D3C47B} | DhcpNameServer : 194.168.4.100 194.168.8.100 ([-][UNITED KINGDOM (GB)]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DD936787-DF78-451A-B271-0C641D288DD1} | DhcpNameServer : 172.20.10.1 ([(Private Address) (XX)]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{31E25500-1D0F-4DFA-9003-1E3535D3C47B} | DhcpNameServer : 194.168.4.100 194.168.8.100 ([-][UNITED KINGDOM (GB)]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{DD936787-DF78-451A-B271-0C641D288DD1} | DhcpNameServer : 172.20.10.1 ([(Private Address) (XX)]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{31E25500-1D0F-4DFA-9003-1E3535D3C47B} | DhcpNameServer : 194.168.4.100 194.168.8.100 ([-][UNITED KINGDOM (GB)]) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{DD936787-DF78-451A-B271-0C641D288DD1} | DhcpNameServer : 172.20.10.1 ([(Private Address) (XX)]) -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK5061GSYN +++++
--- User ---
[MBR] 5ab9afe17a06fc0a223cd06aceb6711f
[BSP] 660daa4ba4a16b9cab8399bb8a3e8746 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 199 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 409600 | Size: 462371 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 947345408 | Size: 14265 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 976560128 | Size: 103 MB
User = LL1 ... OK
User = LL2 ... OK
 
johnb35

johnb35

Administrator
Staff member
Ok, no issue there as long as in the tabs everything was in green.

Most of these files are bad, there are some that are good but I don't want to delete something that the owner may need.

Code: 
[2014/01/25 01:00:23 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Abhaxearusci
[2014/01/19 12:53:05 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Abozaruq
[2014/01/24 01:44:17 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Acsucyimcion
[2014/01/25 01:08:44 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ahexecybap
[2014/01/24 22:04:33 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Alylatyxila
[2014/01/26 23:22:36 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Apigwexyxi
[2014/08/27 16:08:02 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Atnitehic
[2014/04/29 10:42:46 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Autodesk
[2012/09/17 17:40:46 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Autograph
[2014/01/25 01:17:15 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Axcietolodf
[2014/01/19 10:57:11 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Bakeroymelqo
[2015/09/06 23:51:13 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\BatteryBar
[2014/01/26 23:22:20 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Bawiublu
[2014/01/25 02:19:08 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Boxoinlaolxu
[2014/01/24 00:55:59 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Bylyazidluz
[2014/01/25 02:17:35 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Byoxgyof
[2014/01/25 02:10:36 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Bypeazkiyk
[2013/09/14 11:46:10 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Caches
[2014/01/25 01:28:19 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Catoehemakul
[2014/01/24 11:43:26 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Cisukuozdaik
[2013/09/26 12:34:54 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Cooxny
[2014/01/25 01:57:24 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Cuipkokios
[2014/01/26 23:21:33 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Dacytamiqud
[2012/06/13 09:02:07 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\DAEMON Tools Lite
[2014/01/19 10:47:13 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Diewqiugsu
[2014/01/25 01:07:11 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Diinusonongi
[2014/08/27 16:08:04 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Diukyveqva
[2014/01/25 02:27:41 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Dutyotoko
[2014/01/24 22:34:41 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ebxivaazabd
[2014/01/24 02:34:26 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Efqeycsia
[2014/01/24 02:15:01 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ehkeiqgivy
[2014/01/25 01:27:20 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Elemvuaxg
[2014/01/24 02:24:23 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Elsesiwe
[2014/01/24 02:25:00 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Enatomib
[2014/01/19 12:43:01 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Epson
[2014/01/25 02:58:29 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Epymomylta
[2014/01/24 02:14:21 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Etbagutyofbu
[2014/01/24 01:54:16 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ewsoryomym
[2014/01/24 21:14:23 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Famaalfyzuon
[2013/11/26 23:11:58 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Fezium
[2014/01/24 22:03:42 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Fiuwyxuthul
[2014/01/24 21:13:29 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Fywoigulr
[2014/01/26 23:24:51 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Gehuakoqxiyx
[2014/01/25 00:59:41 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Gepexuusg
[2014/01/19 10:57:11 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Gerofaadgyfe
[2014/01/19 12:43:18 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Geynigubbyer
[2014/01/19 10:56:08 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Gouwikxybat
[2014/01/19 10:47:13 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Gyazryygody
[2014/01/19 11:07:13 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Gyyhduxeynz
[2014/01/26 23:24:43 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Hinaango
[2014/01/24 01:34:14 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Hiumunikypi
[2014/01/24 11:44:06 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Horiypcawoi
[2014/01/24 21:13:29 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Hovyhiep
[2015/09/08 19:58:47 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\HTC
[2011/12/27 10:21:44 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\HTC.388BC06ACDAB6261375BCE37FBA2E023C0D7EE34.1
[2014/01/25 02:29:09 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ibadutebno
[2015/09/06 22:39:09 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\IDT
[2014/01/24 01:04:08 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Idylapsit
[2014/01/25 01:37:20 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Idyvesyvekx
[2014/01/25 02:37:48 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ifqewuteudc
[2014/01/25 01:58:05 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ifzikaucc
[2014/01/26 23:21:51 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ihezatca
[2014/01/24 02:14:21 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ilduvukyukv
[2014/08/27 16:08:04 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ilxalyixyn
[2014/01/25 01:47:22 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Imasgyde
[2014/01/25 01:48:01 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Inabygodz
[2014/01/24 01:14:10 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Irlyavdoy
[2014/01/25 01:57:24 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Irysemikkuf
[2014/01/24 01:04:50 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Iseryzorolan
[2014/01/19 12:01:26 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Isyvqoudpez
[2014/01/24 21:33:35 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ivrazyvy
[2014/01/24 01:04:08 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Iwdugolikyeb
[2014/01/24 01:34:55 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ixpobyyqn
[2014/01/24 21:03:53 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Izloemeho
[2014/01/26 23:19:08 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Kavolesio
[2014/01/24 02:24:23 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Kioldoaragd
[2014/01/24 01:14:10 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Kioprogeliuf
[2014/01/25 02:47:42 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Koqiabgedota
[2014/01/26 23:21:38 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Kusoucwy
[2014/08/27 16:08:07 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Kyakusafohu
[2014/01/24 21:53:39 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Kyogcuadxi
[2014/01/24 11:24:42 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Leluusip
[2014/01/25 00:59:41 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Leydusokoh
[2014/01/25 01:38:26 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Luboegnydoda
[2014/01/24 01:24:54 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Lucuhefeugp
[2014/01/19 12:11:28 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Luonbiobuzub
[2014/01/25 02:48:37 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Lyumyfom
[2014/01/24 01:54:55 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Maylyfaduvu
[2014/01/24 02:04:19 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Milobitis
[2014/01/24 00:56:34 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Miotohlabaa
[2014/01/24 22:13:45 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Naawfamofip
[2014/01/24 01:54:16 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Neuwywmynuy
[2014/08/27 16:08:05 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Niembuyfgy
[2014/01/19 12:11:28 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Noxuopbu
[2014/01/26 23:26:05 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Noyvimnym
[2014/01/25 01:07:11 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Nuybipetowty
[2014/01/24 21:03:53 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Nyozevucapi
[2013/11/26 23:25:30 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Nyucry
[2014/01/26 23:22:55 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Obboqezus
[2014/01/26 23:27:14 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Obeppeuvz
[2014/01/24 21:23:31 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Obypyrime
[2014/01/24 11:33:24 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ogefpuyvyl
[2014/01/25 02:27:41 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ognahyylosi
[2014/01/19 10:48:09 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ohhiegizaxu
[2014/08/27 16:08:08 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ohziavyb
[2014/01/26 23:20:40 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Olrubuymrayx
[2014/01/25 02:38:57 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Oncyuranu
[2014/01/19 12:27:12 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Onfyvemubyy
[2014/01/24 01:44:58 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Onpetoak
[2014/01/19 11:07:13 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Orevciaw
[2015/09/05 17:34:45 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Origin
[2014/01/26 23:23:40 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ospeegewcy
[2014/01/26 23:27:04 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Otdomuic
[2014/01/25 02:07:34 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ovgyozav
[2014/01/25 02:47:42 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Owvonadoofit
[2014/08/27 16:08:08 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Owyzkiaq
[2014/01/24 02:04:19 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Pacacyniet
[2014/01/19 10:48:09 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Pebehiovemmy
[2014/01/24 00:55:37 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Piwebuxaq
[2014/01/24 21:24:20 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Puqaasluuxam
[2014/01/19 12:53:05 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Pymaacpo
[2014/01/24 21:53:39 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Qaogyzna
[2014/01/24 11:34:10 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Qazeimli
[2014/01/24 21:04:44 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Qolyutad
[2012/04/21 15:55:19 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\redsn0w
[2014/01/24 21:43:37 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Riycnoxu
[2014/01/24 11:33:24 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ropuocliy
[2014/01/24 02:04:58 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Rytuvioqovz
[2014/01/26 23:25:56 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Soimzioq
[2014/08/27 16:08:03 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Sugyqayk
[2011/09/18 13:46:45 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Synaptics
[2014/01/24 21:33:35 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Teiqseonub
[2012/06/23 09:50:55 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Tific
[2014/01/24 22:33:50 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Tiuzitbyi
[2014/01/25 02:37:48 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Tiyrveopukny
[2014/01/25 02:57:41 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Tuuctiasem
[2014/01/25 02:17:35 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Tyasutnoiq
[2014/01/24 00:55:37 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Tyiqeftutoe
[2014/08/27 16:08:08 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Tyxesiype
[2013/11/28 22:47:55 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ucevparavai
[2014/01/24 01:24:12 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ucyronovte
[2014/01/24 02:35:05 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ufubevvyqa
[2014/01/24 01:14:53 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ukidezfemay
[2014/01/24 11:23:57 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ulasguex
[2014/01/26 23:28:09 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Uqporuaxoz
[2014/01/24 01:34:14 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Uqyduzugeg
[2014/01/24 22:33:50 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Uqynuvtub
[2014/01/24 21:44:27 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Urgyfaucruwo
[2014/01/26 23:21:19 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Usumyqrei
[2014/01/24 22:24:36 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Utofpifokei
[2015/09/08 22:13:44 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\uTorrent
[2013/11/26 01:27:26 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Utuxi
[2014/01/26 23:26:54 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Uvlocyfaadwo
[2014/01/19 10:56:08 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Uwpuybpusy
[2014/01/26 23:25:46 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Uznoontuywqe
[2014/01/24 21:34:31 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Vaapetmenood
[2014/08/27 16:08:04 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Venufatuleyn
[2014/01/26 23:20:36 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Viahaxzisyq
[2014/01/19 12:27:12 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Viboazneo
[2014/01/24 01:44:17 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Voobdybuxep
[2014/01/26 23:25:00 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Vuveriox
[2013/09/21 00:08:55 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Vuyh
[2014/01/24 22:14:35 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Vuyzmuraar
[2012/03/27 17:30:11 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Windows Live Writer
[2014/01/25 01:17:15 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Wiynuhvipey
[2014/01/24 02:34:26 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Wyxuihuhfi
[2014/01/24 00:54:43 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Xeiszaigcoar
[2014/01/25 01:17:56 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Xobyqiekymwe
[2014/01/26 23:20:34 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Xodiyqkaewry
[2014/01/24 22:03:42 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Xyowbacip
[2014/01/24 11:43:26 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ybumolpoene
[2014/01/26 23:23:50 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ycigahef
[2014/01/24 22:13:45 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ydavotyredry
[2014/01/25 01:37:20 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Yddumasipe
[2014/01/24 11:23:57 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ydexgywa
[2014/01/24 22:23:47 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ygazlyrei
[2014/01/24 21:54:30 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ygeqcinuocvu
[2014/01/25 01:47:22 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Yhurwuro
[2014/01/24 01:24:12 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ylopmefoec
[2014/01/25 01:28:19 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ynriurvuteep
[2014/01/19 12:43:18 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ypfiqytaeki
[2014/01/24 00:54:43 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Yqsesyvi
[2014/01/25 02:07:34 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Yqytiledh
[2014/01/25 02:57:41 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Yrduudewzoge
[2014/01/24 21:23:31 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Yrqytuac
[2014/01/19 12:01:26 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ysitolhyez
[2014/01/19 11:17:13 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Yskakaezoxa
[2014/01/24 21:43:37 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ysvekicuos
[2014/01/24 22:23:47 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Ytiqikkiro
[2014/08/27 16:08:08 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Zauvotpoirv
[2014/01/19 11:17:13 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Zodyfysed
[2014/01/26 23:27:14 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Zoisufqoveox
[2014/01/26 23:23:59 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Zoxyezovqya
[2013/01/27 19:12:30 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Zufepy
[2014/01/25 01:01:03 | 000,000,000 | ---D | M] -- C:\Users\Bob\AppData\Roaming\Zyfigiesycfa




Ok, one last scan.

Please download and run the ESET Online Scanner
Disable any antivirus/security programs.
IMPORTANT! UN-check Remove found threats
Accept any security warnings from your browser.
Check Scan archives
Click Start
ESET will then download updates, install and then start scanning your system.
When the scan is done, push list of found threats
Click on Export to text file , and save the file to your desktop using a file name, such as ESETlog. Include the contents of this report in your next reply.
If no threats are found then it won't produce a log.
 
elron-jethro

elron-jethro

Member
Scan Log:

C:\AdwCleaner\Quarantine\C\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\_Setupx.dll.vir a variant of Win32/Adware.Yontoo.B application
C:\Users\Bob\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\R7C4PFRB\admin.brightcove.com\[[IMPORT]]\79423.analytics.edgekey.net\csma\ezUninst.exe a variant of Win32/Kryptik.BSHO trojan
C:\Users\Bob\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.flashcast.tv\choice.exe a variant of Win32/Kryptik.BSHO trojan
C:\Users\Bob\AppData\Roaming\uTorrent\updates\3.4.2_32239.exe a variant of Win32/AdkDLLWrapper.A potentially unwanted application
C:\Users\Bob\Downloads\uTorrent.exe a variant of Win32/AdkDLLWrapper.A potentially unwanted application
C:\Windows\Installer\22f5001a.msi a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application
 
johnb35

johnb35

Administrator
Staff member
How is the machine reacting at this point? Cause if it still has certain issues, then I would just reinstall windows fresh. A machine that has been this infected is when it should be reinstalled.
 
beers

beers

Moderator
Staff member
johnb35 said:
A machine that has been this infected is when it should be reinstalled.
Click to expand...

+1 for this. There's no way to 100% guarantee you've actually addressed every single virus/malware reference aside from a fresh installation.
 
elron-jethro

elron-jethro

Member
Hi john and beers. Sorry for taking a while to get back to you. The system now has both Windows Firewall and Update back online and has been updated. Sfc was run, on the 2nd time it came back clean. I will do a full reinstall in the very near future regardless. Thank you so much for all your help!
 
johnb35

johnb35

Administrator
Staff member
Glad to hear but yes, You should reinstall windows asap as I know there are still remnants of the infections still present.
 
You must log in or register to reply here.
Top