the instructions were for a zip file but the hyperlink lead me to an exe download. I ran the exe and was given the popup that says will i allow program to make changes and i say allow and it does nothing.
the instructions were for a zip file but the hyperlink lead me to an exe download. I ran the exe and was given the popup that says will i allow program to make changes and i say allow and it does nothing.
See if you can search and find
mbar-log-(the date ran).txt
The below scanner can run and work in safe mode and or normal mode.
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
Double click on ComboFix.exe & follow the prompts.
Accept the disclaimer and allow to update if it asks
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.
- Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
Windows Insider MVP Consumer Security 2009 - 2017
Please do not PM me for Malware help, we all benefit from posting on the open board.
I have a question
I see these files but cannot find much info on what they might be related to. Is it for some type of restore tool?
C:\ProgramData\restore_files_bjvdg.html
C:\ProgramData\restore_files_bjvdg.txt
C:\ProgramData\restore_files_fmlub.html
C:\ProgramData\restore_files_fmlub.txt
C:\ProgramData\restore_files_hvdux.html
C:\ProgramData\restore_files_hvdux.txt
C:\ProgramData\restore_files_mkkgj.html
C:\ProgramData\restore_files_mkkgj.txt
C:\ProgramData\restore_files_qnhwg.html
C:\ProgramData\restore_files_qnhwg.txt
C:\ProgramData\restore_files_swkdn.html
C:\ProgramData\restore_files_swkdn.txt
~~
Also
Also please download Windows Repair (all in one) from here
Install the program then go to step 4 and create a new system restore point and new registry backup.
Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:
NEXT
On the the Start Repairs tab => Click the Start
Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):
Click on box next to the Restart System when Finished. Then click on Start.
Windows Insider MVP Consumer Security 2009 - 2017
Please do not PM me for Malware help, we all benefit from posting on the open board.
I know I've posted several things for you to do but I wanted to post this while it was on my mind.
Event Log Viewer
- Please download VEW and save the file to your Desktop.
- Right-click VEW.exe and select Run as administrator to run the programme.
- Under Select log to query, place a checkmark next to:
- Application
- System
Under Select type to list, place a checkmark next to:
- Critical
- Error
- Information
- Under Number or date events, place a checkmark next to:
- Number of Events and set to 20.
- Click Run.
- Upon completion, a log (VEW.txt) will open. Copy the contents of the log and paste in your next reply.
Windows Insider MVP Consumer Security 2009 - 2017
Please do not PM me for Malware help, we all benefit from posting on the open board.
it has been three days... did I lose you?
oops sorry. i didnt realize you had in fact replied
yes, I kinda rambled off a few things to do
Windows Insider MVP Consumer Security 2009 - 2017
Please do not PM me for Malware help, we all benefit from posting on the open board.
ComboFix 15-10-15.01 - user 10/16/2015 19:26:03.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2038.1323 [GMT -5:00]
Running from: c:\users\user\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\716C5D6A.EX
c:\users\Public\Favorites\restore_files_bjvdg.html
c:\users\Public\Favorites\restore_files_fmlub.html
c:\users\Public\Favorites\restore_files_hvdux.html
c:\users\Public\Favorites\restore_files_mkkgj.html
c:\users\Public\Favorites\restore_files_qnhwg.html
c:\users\Public\Favorites\restore_files_swkdn.html
c:\windows\wininit.ini
.
.
\\.\PhysicalDrive0 - Bootkit Cidox was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2015-09-17 to 2015-10-17 )))))))))))))))))))))))))))))))
.
.
2015-10-17 00:31 . 2015-10-17 00:33 -------- d-----w- c:\users\user\AppData\Local\temp
2015-10-12 18:59 . 2015-10-12 22:25 -------- d-----w- C:\AdwCleaner
2015-10-10 01:10 . 2015-10-10 01:10 -------- d-----w- C:\RegBackup
2015-10-10 00:26 . 2015-10-10 00:26 -------- d-----w- c:\program files\Tweaking.com
2015-10-10 00:13 . 2015-10-13 17:51 -------- d-----w- C:\FRST
2015-09-20 19:54 . 2015-09-20 19:54 -------- d-----w- c:\program files\Common Files\AV
2015-09-20 19:03 . 2015-09-20 19:03 -------- d-----w- c:\program files\CCleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-10-17 00:02 . 2015-05-16 21:59 780488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2015-10-17 00:02 . 2015-05-16 21:59 142536 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2015-10-17 00:02 . 2015-08-23 16:02 3996360 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2015-08-20 09:18 . 2015-09-02 11:32 9234960 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{04CF7845-9F16-42DA-8744-864BC1B9294F}\mpengine.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2013-10-16 543432]
"CCleaner Monitoring"="c:\program files\CCleaner\CCleaner.exe" [2015-08-19 6490904]
"SpybotPostWindows10UpgradeReInstall"="c:\program files\Common Files\AV\Spybot - Search and Destroy\Test.exe" [2015-07-28 1011200]
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
restore_files_mkkgj.html [2015-8-22 5081]
restore_files_mkkgj.txt [2015-8-22 2253]
restore_files_qnhwg.html [2015-8-22 3822]
restore_files_qnhwg.txt [2015-8-22 2170]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-10-16 09:05 997704 ----a-w- c:\program files\Google\Chrome\Application\46.0.2490.71\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-10-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-05-16 00:02]
.
2015-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2015-05-19 16:47]
.
2015-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2015-05-19 16:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = localhost:8080
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vk605143.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/?gws_rd=ssl
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Chrome - c:\progra~2\taskhost.exe
HKLM-Run-Chrome - c:\progra~2\taskhost.exe
HKU-Default-Run-Chrome - c:\progra~2\taskhost.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_19_0_0_226_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_19_0_0_226_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Sandboxie\SbieSvc.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\sppsvc.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2015-10-16 19:35:09 - machine was rebooted
ComboFix-quarantined-files.txt 2015-10-17 00:35
.
Pre-Run: 266,880,491,520 bytes free
Post-Run: 266,791,280,640 bytes free
.
- - End Of File - - 9984B18A4A04C30C686DE2BE9297A25C
8F558EB6672622401DA993E1E865C861
I believe the restore files you mentioned are malicious. Every time I reboot screens popup mentioning them. Windows repair did not find any issues. The log for VEW follows:
Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 16/10/2015 8:30:41 PM
Note: All dates below are in the format dd/mm/yyyy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 17/10/2015 1:04:52 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: svchost.exe_WinDefend, version: 6.1.7600.16385, time stamp: 0x4a5bc100 Faulting module name: msvcrt.dll, version: 7.0.7600.16385, time stamp: 0x4a5bda6f Exception code: 0xc0000005 Fault offset: 0x0000ab84 Faulting process id: 0x670 Faulting application start time: 0x01d108756c21b920 Faulting application path: C:\Windows\System32\svchost.exe Faulting module path: C:\Windows\system32\msvcrt.dll Report Id: 11dc1418-746b-11e5-95cc-0016418fd44e
Log: 'Application' Date/Time: 16/10/2015 7:51:01 PM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: vlc.exe, version: 2.2.1.0, time stamp: 0x00000004 Faulting module name: libqt4_plugin.dll, version: 2.2.1.0, time stamp: 0x00020002 Exception code: 0x40000015 Fault offset: 0x007ca10a Faulting process id: 0x1268 Faulting application start time: 0x01d1084bf6e4b795 Faulting application path: C:\Program Files\VideoLAN\VLC\vlc.exe Faulting module path: C:\Program Files\VideoLAN\VLC\plugins\gui\libqt4_plugin.dll Report Id: 39a05618-743f-11e5-9e30-0016418fd44e
Log: 'Application' Date/Time: 09/10/2015 8:04:08 PM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program uTorrent.exe version 3.4.5.41162 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: bec Start Time: 01d102cd4b208838 Termination Time: 16 Application Path: C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe Report Id: e3dacfcb-6ec0-11e5-8ff0-0016418fd44e
Log: 'Application' Date/Time: 09/10/2015 4:19:15 PM
Type: Error Category: 0
Event: 8211 Source: System Restore
The scheduled restore point could not be created. Additional information: (0x81000101).
Log: 'Application' Date/Time: 09/10/2015 4:19:15 PM
Type: Error Category: 0
Event: 8193 Source: System Restore
Failed to create restore point (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Description = Scheduled Checkpoint; Error = 0x81000101).
Log: 'Application' Date/Time: 03/10/2015 1:26:11 AM
Type: Error Category: 1
Event: 7042 Source: Microsoft-Windows-Search
The Windows Search Service is being stopped because there is a problem with the indexer: The catalog is corrupt.
Details:
The content index catalog is corrupt. 0xc0041801 (0xc0041801)
Log: 'Application' Date/Time: 03/10/2015 1:26:11 AM
Type: Error Category: 1
Event: 7040 Source: Microsoft-Windows-Search
The search service has detected corrupted data files in the index {id=2350}. The service will attempt to automatically correct this problem by rebuilding the index.
Details:
The content index catalog is corrupt. 0xc0041801 (0xc0041801)
Log: 'Application' Date/Time: 02/10/2015 5:53:50 PM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program uTorrent.exe version 3.4.5.41162 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: a04 Start Time: 01d0fd3a3ba624b5 Termination Time: 29 Application Path: C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe Report Id: 86ed4303-692e-11e5-80c1-0016418fd44e
Log: 'Application' Date/Time: 02/10/2015 5:36:22 PM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program uTorrent.exe version 3.4.5.41162 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: e38 Start Time: 01d0fd388b4eef10 Termination Time: 16 Application Path: C:\Users\user\AppData\Roaming\uTorrent\uTorrent.exe Report Id: 0c491d4d-692c-11e5-80c1-0016418fd44e
Log: 'Application' Date/Time: 02/10/2015 12:54:26 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: plugin-container.exe, version: 41.0.1.5750, time stamp: 0x560b37be Faulting module name: mozglue.dll, version: 41.0.1.5750, time stamp: 0x560b229d Exception code: 0x80000003 Fault offset: 0x0000ec7f Faulting process id: 0xcd0 Faulting application start time: 0x01d0fcacb708f42c Faulting application path: C:\Program Files\Mozilla Firefox\plugin-container.exe Faulting module path: C:\Program Files\Mozilla Firefox\mozglue.dll Report Id: 2066e7b4-68a0-11e5-a3c5-0016418fd44e
Log: 'Application' Date/Time: 02/10/2015 12:28:28 AM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program firefox.exe version 41.0.1.5750 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: ec8 Start Time: 01d0fca7c91dba3b Termination Time: 11 Application Path: C:\Program Files\Mozilla Firefox\firefox.exe Report Id:
Log: 'Application' Date/Time: 28/09/2015 4:53:43 PM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program firefox.exe version 41.0.0.5738 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: 630 Start Time: 01d0f97f6c5a0d22 Termination Time: 34 Application Path: C:\Program Files\Mozilla Firefox\firefox.exe Report Id: 77bd087d-6601-11e5-bc43-0016418fd44e
Log: 'Application' Date/Time: 28/09/2015 4:53:43 PM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: plugin-container.exe, version: 41.0.0.5738, time stamp: 0x55fb7072 Faulting module name: mozglue.dll, version: 41.0.0.5738, time stamp: 0x55fb5afb Exception code: 0x80000003 Fault offset: 0x0000ec7e Faulting process id: 0xe1c Faulting application start time: 0x01d0fa0e25b42fd1 Faulting application path: C:\Program Files\Mozilla Firefox\plugin-container.exe Faulting module path: C:\Program Files\Mozilla Firefox\mozglue.dll Report Id: 79b9551d-6601-11e5-bc43-0016418fd44e
Log: 'Application' Date/Time: 27/09/2015 3:13:00 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: svchost.exe_SysMain, version: 6.1.7600.16385, time stamp: 0x4a5bc100 Faulting module name: sysmain.dll, version: 6.1.7600.16385, time stamp: 0x4a5bdb23 Exception code: 0xc0000005 Fault offset: 0x00042bfa Faulting process id: 0x358 Faulting application start time: 0x01d0f8beb5205dc5 Faulting application path: C:\Windows\System32\svchost.exe Faulting module path: c:\windows\system32\sysmain.dll Report Id: a7ec7fdb-64c5-11e5-a781-0016418fd44e
Log: 'Application' Date/Time: 27/09/2015 12:32:00 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: plugin-container.exe, version: 41.0.0.5738, time stamp: 0x55fb7072 Faulting module name: mozglue.dll, version: 41.0.0.5738, time stamp: 0x55fb5afb Exception code: 0x80000003 Fault offset: 0x0000ec7e Faulting process id: 0xaac Faulting application start time: 0x01d0f8a6b02fbaec Faulting application path: C:\Program Files\Mozilla Firefox\plugin-container.exe Faulting module path: C:\Program Files\Mozilla Firefox\mozglue.dll Report Id: 2a4de6e0-64af-11e5-bbc2-0016418fd44e
Log: 'Application' Date/Time: 27/09/2015 12:32:00 AM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program firefox.exe version 41.0.0.5738 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: 9a0 Start Time: 01d0f8a525319699 Termination Time: 127 Application Path: C:\Program Files\Mozilla Firefox\firefox.exe Report Id: 27b7c8ff-64af-11e5-bbc2-0016418fd44e
Log: 'Application' Date/Time: 25/09/2015 5:05:13 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: plugin-container.exe, version: 41.0.0.5738, time stamp: 0x55fb7072 Faulting module name: mozglue.dll, version: 41.0.0.5738, time stamp: 0x55fb5afb Exception code: 0x80000003 Fault offset: 0x0000ec7e Faulting process id: 0xb90 Faulting application start time: 0x01d0f74da50acce0 Faulting application path: C:\Program Files\Mozilla Firefox\plugin-container.exe Faulting module path: C:\Program Files\Mozilla Firefox\mozglue.dll Report Id: 0072674c-6343-11e5-a381-0016418fd44e
Log: 'Application' Date/Time: 25/09/2015 2:36:23 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: plugin-container.exe, version: 41.0.0.5738, time stamp: 0x55fb7072 Faulting module name: mozglue.dll, version: 41.0.0.5738, time stamp: 0x55fb5afb Exception code: 0x80000003 Fault offset: 0x0000ec7e Faulting process id: 0xa48 Faulting application start time: 0x01d0f73ad74e3638 Faulting application path: C:\Program Files\Mozilla Firefox\plugin-container.exe Faulting module path: C:\Program Files\Mozilla Firefox\mozglue.dll Report Id: 359da133-632e-11e5-a381-0016418fd44e
Log: 'Application' Date/Time: 24/09/2015 7:35:02 PM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: plugin-container.exe, version: 41.0.0.5738, time stamp: 0x55fb7072 Faulting module name: mozglue.dll, version: 41.0.0.5738, time stamp: 0x55fb5afb Exception code: 0x80000003 Fault offset: 0x0000ec7e Faulting process id: 0x714 Faulting application start time: 0x01d0f6ff1b141ef9 Faulting application path: C:\Program Files\Mozilla Firefox\plugin-container.exe Faulting module path: C:\Program Files\Mozilla Firefox\mozglue.dll Report Id: 58d106d8-62f3-11e5-a381-0016418fd44e
Log: 'Application' Date/Time: 24/09/2015 6:58:55 PM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: plugin-container.exe, version: 41.0.0.5738, time stamp: 0x55fb7072 Faulting module name: mozglue.dll, version: 41.0.0.5738, time stamp: 0x55fb5afb Exception code: 0x80000003 Fault offset: 0x0000ec7e Faulting process id: 0xbf0 Faulting application start time: 0x01d0f6fa5bf281ea Faulting application path: C:\Program Files\Mozilla Firefox\plugin-container.exe Faulting module path: C:\Program Files\Mozilla Firefox\mozglue.dll Report Id: 4d3fe876-62ee-11e5-a381-0016418fd44e
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Information Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 17/10/2015 1:26:20 AM
Type: Information Category: 0
Event: 1 Source: SecurityCenter
The Windows Security Center Service has started.
Log: 'Application' Date/Time: 17/10/2015 1:26:19 AM
Type: Information Category: 1
Event: 1003 Source: Microsoft-Windows-Search
The Windows Search Service started.
Log: 'Application' Date/Time: 17/10/2015 1:26:15 AM
Type: Information Category: 0
Event: 0 Source: gupdate
The event description cannot be found.
Log: 'Application' Date/Time: 17/10/2015 1:26:13 AM
Type: Information Category: 3
Event: 302 Source: ESENT
Windows (3388) Windows: The database engine has successfully completed recovery steps.
Log: 'Application' Date/Time: 17/10/2015 1:26:13 AM
Type: Information Category: 3
Event: 301 Source: ESENT
Windows (3388) Windows: The database engine has begun replaying logfile C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log.
Log: 'Application' Date/Time: 17/10/2015 1:26:12 AM
Type: Information Category: 3
Event: 300 Source: ESENT
Windows (3388) Windows: The database engine is initiating recovery steps.
Log: 'Application' Date/Time: 17/10/2015 1:26:12 AM
Type: Information Category: 1
Event: 102 Source: ESENT
Windows (3388) Windows: The database engine (6.01.7600.0000) started a new instance (0).
Log: 'Application' Date/Time: 17/10/2015 1:26:01 AM
Type: Information Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.
Log: 'Application' Date/Time: 17/10/2015 1:26:01 AM
Type: Information Category: 0
Event: 4104 Source: Microsoft-Windows-Winlogon
Accessing Windows in Notification period.
Log: 'Application' Date/Time: 17/10/2015 1:24:15 AM
Type: Information Category: 0
Event: 902 Source: Microsoft-Windows-Security-SPP
The Software Protection service has started. 6.1.7600.16385
Log: 'Application' Date/Time: 17/10/2015 1:24:15 AM
Type: Information Category: 0
Event: 1003 Source: Microsoft-Windows-Security-SPP
The Software Protection service has completed licensing status check. Application Id=55c92734-d682-4d71-983e-d6ec3f16059f Licensing Status=
1: 022a1afb-b893-4190-92c3-8f69a49839fb, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
2: 7cfd4696-69a9-4af7-af36-ff3d12b6b6c8, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
3: a0cde89c-3304-4157-b61c-c8ad785d1fad, 1, 1 [(0 )(1 )(2 [0x00000000, 0, 0], [( 5 0xC004F009 30 0)( 5 0xC004F009 30 0)( 1 0x00000000 0 0 msft:rm/algorithm/flags/1.0 0x00000000 0)(?)(?)( 9 0x00000000 0xC004F009)])]
4: ac96e1a8-6cc4-4310-a4ff-332ce77fb5b8, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
5: cfb3e52c-d707-4861-af51-11b27ee6169c, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
6: 4a8149bb-7d61-49f4-8822-82c7bf88d64b, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
7: afd5f68f-b70f-4000-a21d-28dbc8be8b07, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
Log: 'Application' Date/Time: 17/10/2015 1:24:15 AM
Type: Information Category: 0
Event: 1066 Source: Microsoft-Windows-Security-SPP
Initialization status for service objects. C:\Windows\system32\sppwinob.dll, msft:spp/windowsfunctionality/agent/7.0, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/phone/1.0, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/pkey/2005, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:spp/TaskScheduler/1.0, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/1.0, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/licenserenewal/1.0, 0x00000000, 0x00000000
Log: 'Application' Date/Time: 17/10/2015 1:24:14 AM
Type: Information Category: 0
Event: 900 Source: Microsoft-Windows-Security-SPP
The Software Protection service is starting.
Log: 'Application' Date/Time: 17/10/2015 1:24:14 AM
Type: Information Category: 0
Event: 5617 Source: Microsoft-Windows-WMI
Windows Management Instrumentation Service subsystems initialized successfully
Log: 'Application' Date/Time: 17/10/2015 1:24:06 AM
Type: Information Category: 0
Event: 1531 Source: Microsoft-Windows-User Profiles Service
The User Profile Service has started successfully.
Log: 'Application' Date/Time: 17/10/2015 1:24:10 AM
Type: Information Category: 0
Event: 5615 Source: Microsoft-Windows-WMI
Windows Management Instrumentation Service started sucessfully
Log: 'Application' Date/Time: 17/10/2015 1:24:06 AM
Type: Information Category: 0
Event: 4625 Source: Microsoft-Windows-EventSystem
The EventSystem sub system is suppressing duplicate event log entries for a duration of 86400 seconds. The suppression timeout can be controlled by a REG_DWORD value named SuppressDuplicateDuration under the following registry key: HKLM\Software\Microsoft\EventSystem\EventLog.
Log: 'Application' Date/Time: 17/10/2015 1:23:32 AM
Type: Information Category: 0
Event: 1532 Source: Microsoft-Windows-User Profiles Service
The User Profile Service has stopped.
Log: 'Application' Date/Time: 17/10/2015 1:23:31 AM
Type: Information Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.
Log: 'Application' Date/Time: 17/10/2015 1:23:31 AM
Type: Information Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <Sens> was unavailable to handle a notification event.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 17/10/2015 1:11:26 AM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Log: 'System' Date/Time: 17/10/2015 12:19:23 AM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Log: 'System' Date/Time: 14/10/2015 3:47:21 PM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Log: 'System' Date/Time: 14/10/2015 3:31:37 PM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Log: 'System' Date/Time: 14/10/2015 12:59:05 AM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Log: 'System' Date/Time: 12/10/2015 7:02:57 PM
Type: Critical Category: 64
Event: 10111 Source: Microsoft-Windows-DriverFrameworks-UserMode
The device Microsoft Usbccid Smartcard Reader (O2 Micro OZ776/777) (location Port_#0002.Hub_#0008) is offline due to a user-mode driver crash. Windows will attempt to restart the device 5 more times. Please contact the device manufacturer for more information about this problem.
Log: 'System' Date/Time: 12/10/2015 7:02:57 PM
Type: Critical Category: 64
Event: 10110 Source: Microsoft-Windows-DriverFrameworks-UserMode
A problem has occurred with one or more user-mode drivers and the hosting process has been terminated. This may temporarily interrupt your ability to access the devices.
Log: 'System' Date/Time: 11/10/2015 1:25:31 PM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Log: 'System' Date/Time: 10/10/2015 6:08:03 PM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Log: 'System' Date/Time: 06/10/2015 12:12:49 PM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Log: 'System' Date/Time: 04/10/2015 10:31:17 PM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Log: 'System' Date/Time: 03/10/2015 12:02:04 PM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Log: 'System' Date/Time: 03/10/2015 4:40:37 AM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Log: 'System' Date/Time: 03/10/2015 4:38:35 AM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Log: 'System' Date/Time: 03/10/2015 12:43:12 AM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Log: 'System' Date/Time: 02/10/2015 11:56:19 AM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Log: 'System' Date/Time: 27/09/2015 7:58:10 AM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Log: 'System' Date/Time: 27/09/2015 12:51:46 AM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 17/10/2015 1:13:17 AM
Type: Error Category: 0
Event: 7001 Source: Service Control Manager
The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
Log: 'System' Date/Time: 17/10/2015 1:13:17 AM
Type: Error Category: 0
Event: 7001 Source: Service Control Manager
The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
Log: 'System' Date/Time: 17/10/2015 1:13:16 AM
Type: Error Category: 0
Event: 7001 Source: Service Control Manager
The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
Log: 'System' Date/Time: 17/10/2015 1:13:15 AM
Type: Error Category: 0
Event: 10005 Source: Microsoft-Windows-DistributedCOM
DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
Log: 'System' Date/Time: 17/10/2015 1:13:15 AM
Type: Error Category: 0
Event: 10005 Source: Microsoft-Windows-DistributedCOM
DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
Log: 'System' Date/Time: 17/10/2015 1:13:14 AM
Type: Error Category: 0
Event: 10005 Source: Microsoft-Windows-DistributedCOM
DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
Log: 'System' Date/Time: 17/10/2015 1:13:08 AM
Type: Error Category: 0
Event: 10005 Source: Microsoft-Windows-DistributedCOM
DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
Log: 'System' Date/Time: 17/10/2015 1:13:03 AM
Type: Error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: discache spldr Wanarpv6
Log: 'System' Date/Time: 17/10/2015 1:11:31 AM
Type: Error Category: 0
Event: 6008 Source: EventLog
The previous system shutdown at 8:09:13 PM on ?10/?16/?2015 was unexpected.
Log: 'System' Date/Time: 17/10/2015 1:05:14 AM
Type: Error Category: 0
Event: 7031 Source: Service Control Manager
The Windows Defender service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
Log: 'System' Date/Time: 17/10/2015 12:32:13 AM
Type: Error Category: 0
Event: 29 Source: volsnap
The shadow copies of volume C: were aborted during detection.
Log: 'System' Date/Time: 17/10/2015 12:32:20 AM
Type: Error Category: 0
Event: 6008 Source: EventLog
The previous system shutdown at 7:30:51 PM on ?10/?16/?2015 was unexpected.
Log: 'System' Date/Time: 17/10/2015 12:31:31 AM
Type: Error Category: 0
Event: 7030 Source: Service Control Manager
The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
Log: 'System' Date/Time: 17/10/2015 12:29:20 AM
Type: Error Category: 0
Event: 7030 Source: Service Control Manager
The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
Log: 'System' Date/Time: 17/10/2015 12:25:56 AM
Type: Error Category: 0
Event: 7030 Source: Service Control Manager
The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
Log: 'System' Date/Time: 17/10/2015 12:24:01 AM
Type: Error Category: 0
Event: 7030 Source: Service Control Manager
The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
Log: 'System' Date/Time: 17/10/2015 12:19:53 AM
Type: Error Category: 0
Event: 7001 Source: Service Control Manager
The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
Log: 'System' Date/Time: 17/10/2015 12:19:53 AM
Type: Error Category: 0
Event: 10005 Source: Microsoft-Windows-DistributedCOM
DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
Log: 'System' Date/Time: 17/10/2015 12:19:51 AM
Type: Error Category: 0
Event: 10005 Source: Microsoft-Windows-DistributedCOM
DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
Log: 'System' Date/Time: 17/10/2015 12:19:50 AM
Type: Error Category: 0
Event: 7001 Source: Service Control Manager
The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Information Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 17/10/2015 1:29:04 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Application Experience service entered the running state.
Log: 'System' Date/Time: 17/10/2015 1:26:33 AM
Type: Information Category: 0
Event: 206 Source: Microsoft-Windows-Application-Experience
The Program Compatibility Assistant service successfully performed phase two initialization.
Log: 'System' Date/Time: 17/10/2015 1:26:23 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Windows Update service entered the running state.
Log: 'System' Date/Time: 17/10/2015 1:26:19 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The HomeGroup Provider service entered the running state.
Log: 'System' Date/Time: 17/10/2015 1:26:19 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Security Center service entered the running state.
Log: 'System' Date/Time: 17/10/2015 1:26:19 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Function Discovery Resource Publication service entered the running state.
Log: 'System' Date/Time: 17/10/2015 1:26:19 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Function Discovery Provider Host service entered the running state.
Log: 'System' Date/Time: 17/10/2015 1:26:16 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Windows Search service entered the running state.
Log: 'System' Date/Time: 17/10/2015 1:26:15 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The SSDP Discovery service entered the running state.
Log: 'System' Date/Time: 17/10/2015 1:26:15 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Google Update Service (gupdate) service entered the stopped state.
Log: 'System' Date/Time: 17/10/2015 1:26:14 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Google Update Service (gupdate) service entered the running state.
Log: 'System' Date/Time: 17/10/2015 1:26:14 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Portable Device Enumerator Service service entered the stopped state.
Log: 'System' Date/Time: 17/10/2015 1:26:14 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Windows Media Player Network Sharing Service service entered the running state.
Log: 'System' Date/Time: 17/10/2015 1:26:14 AM
Type: Information Category: 0
Event: 14204 Source: Microsoft-Windows-WMPNSS-Service
Service 'WMPNetworkSvc' started.
Log: 'System' Date/Time: 17/10/2015 1:26:11 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Windows Font Cache Service service entered the running state.
Log: 'System' Date/Time: 17/10/2015 1:24:24 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Computer Browser service entered the stopped state.
Log: 'System' Date/Time: 17/10/2015 1:24:21 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The WinHTTP Web Proxy Auto-Discovery Service service entered the running state.
Log: 'System' Date/Time: 17/10/2015 1:24:19 AM
Type: Information Category: 7005
Event: 20003 Source: Microsoft-Windows-UserPnp
Driver Management has concluded the process to add Service tunnel for Device Instance ID ROOT\*ISATAP\0002 with the following status: 0.
Log: 'System' Date/Time: 17/10/2015 1:24:18 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Computer Browser service entered the running state.
Log: 'System' Date/Time: 17/10/2015 1:24:14 AM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Bluetooth Support Service service entered the running state.
Evidence of a pretty bad infection here.
I see a few items located in the startup folder that needs to be removed.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
restore_files_mkkgj.html [2015-8-22 5081]
restore_files_mkkgj.txt [2015-8-22 2253]
restore_files_qnhwg.html [2015-8-22 3822]
restore_files_qnhwg.txt [2015-8-22 2170]
I'm going to try and have this script remove it, if it doesn't might need to go through MSCONFIG and look through your startups list.
Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.
Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.
Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.Registry::
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
"restore_files_mkkgj.html"=-
"restore_files_mkkgj.txt"=-
"restore_files_qnhwg.html"=-
"restore_files_qnhwg.txt"=-
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
If there are internet issues afterward:
*In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.
In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.
Chrome:
Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.
~~~~~~~~~~~~~~~`
Download the latest version of TDSSKiller from here and save it to your Desktop.
http://media.kaspersky.com/utilities...tdsskiller.exe
http://www.bleepingcomputer.com/down...sskiller/dl/4/
- Doubleclick on TDSSKiller.exe to run the application
- Then click on Change parameters.
- Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.
- Click the Start Scan button.
- If a suspicious object is detected, the default action will be Skip, click on Continue.
- If malicious objects are found, they will show in the Scan results and offer three (3) options.
- Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
- Get the report by selecting Reports
- Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please copy and paste its contents on your next reply.
A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
~~
Please post these 2 logs when finished.
Windows Insider MVP Consumer Security 2009 - 2017
Please do not PM me for Malware help, we all benefit from posting on the open board.