|
Post by boherb on Oct 31, 2014 17:50:36 GMT -8
I misread task manager there is also an instance of explorer.exe that is using the memory and cpu.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Oct 31, 2014 18:00:54 GMT -8
iexplore.exe is legit and can have more than one running
explorer.exe is a main Windows process , that is how your are able to see the taskbar, start menu, desktop and what is on the desktop and browse around the computer.
Quads
|
|
|
Post by boherb on Oct 31, 2014 18:48:34 GMT -8
I think I may be good then. Thanks
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Oct 31, 2014 18:59:06 GMT -8
You know how you can explore the Hard Drive like in Picutues, Documents and other folders, That is explorer.
Quads
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Nov 1, 2014 1:59:29 GMT -8
|
|
|
Post by boherb on Nov 1, 2014 11:33:14 GMT -8
Farbar Service Scanner Version: 21-07-2014 Ran by Ed (administrator) on 01-11-2014 at 15:32:07 Running from "C:\Users\Ed\Desktop" Microsoft Windows 7 Home Premium Service Pack 1 (X64) Boot Mode: Normal ****************************************************************
Internet Services: ============
Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Yahoo.com is accessible.
Windows Firewall: =============
Firewall Disabled Policy: ==================
System Restore: ============
System Restore Disabled Policy: ========================
Action Center: ============
Windows Update: ============
Windows Autoupdate Disabled Policy: ============================
Windows Defender: ============== WinDefend Service is not running. Checking service configuration: The start type of WinDefend service is set to Demand. The default start type is Auto. The ImagePath of WinDefend service is OK. The ServiceDll of WinDefend service is OK.
Windows Defender Disabled Policy: ========================== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender] "DisableAntiSpyware"=DWORD:1
Other Services: ==============
File Check: ======== C:\Windows\System32\nsisvc.dll => File is digitally signed C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed C:\Windows\System32\dhcpcore.dll => File is digitally signed C:\Windows\System32\drivers\afd.sys => File is digitally signed C:\Windows\System32\drivers\tdx.sys => File is digitally signed C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed C:\Windows\System32\dnsrslvr.dll => File is digitally signed C:\Windows\System32\mpssvc.dll => File is digitally signed C:\Windows\System32\bfe.dll => File is digitally signed C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed C:\Windows\System32\SDRSVC.dll => File is digitally signed C:\Windows\System32\vssvc.exe => File is digitally signed C:\Windows\System32\wscsvc.dll => File is digitally signed C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed C:\Windows\System32\wuaueng.dll => File is digitally signed C:\Windows\System32\qmgr.dll => File is digitally signed C:\Windows\System32\es.dll => File is digitally signed C:\Windows\System32\cryptsvc.dll => File is digitally signed C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed C:\Windows\System32\ipnathlp.dll => File is digitally signed C:\Windows\System32\iphlpsvc.dll => File is digitally signed C:\Windows\System32\svchost.exe => File is digitally signed C:\Windows\System32\rpcss.dll => File is digitally signed
**** End of log ****
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Nov 1, 2014 12:25:10 GMT -8
On with step 4, Complete system check for any file and cleanup of items and tools used. With hope!! Special attention to the different settings I have asked for below You can leave Norton Enabled even though ESET may warn about it. just makes the scan take longer. The pictures below showing what to click may be blue instead of green on the ESET website now, but the procedure is still the same Please read carefully and Slowly, Notice all the settings listed below to check before starting the scan. Take note of the NO tick in the Remove found threats setting below at it needs to have the tick removed.
Hold down Control and click on the following link to open ESET OnlineScan in a new window. ESET OnlineScan
Click the For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) Click on Posted Image to download the ESET Smart Installer. Save it to your desktop. Double click on the icon on your desktop. Check Click the button. Accept any security warnings from your browser. Under scan settings, check DON'T (NO)</font></b> check Remove found threats (reason for this is we don't want something deleted and then Windows won't load).
Click Advanced settings and select the following: Scan potentially unwanted applications Scan for potentially unsafe applications Enable Anti-Stealth technology
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. Attach the resulting log in your next reply The scanner screen gives me the option of saving the results to a .txt file as part of the options after the scan has finished. Screenshot of part of the finished scan dialog box by ESET showing the options. List found threats and at the bottom of the listings is the options to save the list. Quads
|
|
|
Post by boherb on Nov 2, 2014 2:35:14 GMT -8
C:\$Recycle.Bin\S-1-5-21-3041920962-711388082-3092027376-1006\$RNQTY66.exe a variant of Win32/InstallCore.QV potentially unwanted application C:\AdwCleaner\Quarantine\C\ProgramData\apn\APN-Stub\W3IV6-G\APNIC.7z.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application C:\AdwCleaner\Quarantine\C\ProgramData\apn\APN-Stub\W3IV6-G\APNIC.dll.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application C:\AdwCleaner\Quarantine\C\Users\Beth\AppData\Local\Browsersafeguard\BrowserSafeguard.exe.vir a variant of MSIL/Adware.iBryte.F application C:\FRST\Quarantine\C\Program Files (x86)\bSaving\f9388d5e362f823fb9a295d0d00529c8.dll.xBAD a variant of Win32/AdWare.Toolbar.AmyBar.A application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\bar\1.bin\5mbarsvc.exe.xBAD Win32/Toolbar.MyWebSearch.X potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\5mauxstb.dll Win32/Toolbar.MyWebSearch.W potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\5mbar.dll Win32/Toolbar.MyWebSearch.W potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\5mbrmon.exe Win32/Toolbar.MyWebSearch.W potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\5mbrstub.dll Win32/Toolbar.MyWebSearch.AA potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\5mdatact.dll a variant of Win32/Toolbar.MyWebSearch.A potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\5mdlghk.dll Win32/Toolbar.MyWebSearch.AA potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\5mdyn.dll Win32/Toolbar.MyWebSearch.AA potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\5mfeedmg.dll Win32/Toolbar.MyWebSearch.AA potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\5mhighin.exe Win32/Toolbar.MyWebSearch.AA potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\5mhkstub.dll Win32/Toolbar.MyWebSearch.AA potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\5mhtmlmu.dll a variant of Win32/Toolbar.MyWebSearch.AA potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\5mhttpct.dll Win32/Toolbar.MyWebSearch.AA potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\5midle.dll Win32/Toolbar.MyWebSearch.AA potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\5mieovr.dll a variant of Win32/Toolbar.MyWebSearch.P potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\5mimpipe.exe Win32/Toolbar.MyWebSearch.W potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\5mmedint.exe Win32/Toolbar.MyWebSearch.AA potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\5mmlbtn.dll Win32/Toolbar.MyWebSearch.AA potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\5mmsg.dll Win32/Toolbar.MyWebSearch.AA potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\5mPlugin.dll a variant of Win32/Toolbar.MyWebSearch potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\5mradio.dll Win32/Toolbar.MyWebSearch.AA potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\5mregfft.dll Win32/Toolbar.MyWebSearch.AA potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\5mreghk.dll a variant of Win32/Toolbar.MyWebSearch.W potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\5mregiet.dll Win32/Toolbar.MyWebSearch.AA potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\5mscript.dll Win32/Toolbar.MyWebSearch.AA potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\5mskin.dll a variant of Win32/Toolbar.MyWebSearch.P potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\5msknlcr.dll Win32/Toolbar.MyWebSearch.AA potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\5mskplay.exe Win32/Toolbar.MyWebSearch.W potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\5mSrcAs.dll a variant of Win32/Toolbar.MyWebSearch.AC potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\5mSrchMn.exe a variant of Win32/Toolbar.MyWebSearch.W potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\5mtpinst.dll Win32/Toolbar.MyWebSearch.AA potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\5muabtn.dll Win32/Toolbar.MyWebSearch.AA potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\CREXT.DLL Win32/Toolbar.MyWebSearch.W potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\CrExtP5m.exe Win32/Toolbar.MyWebSearch.W potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\NP5mStub.dll Win32/Toolbar.MyWebSearch.T potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\T8EXTEX.DLL Win32/Toolbar.MyWebSearch.AA potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\T8EXTPEX.DLL Win32/Toolbar.MyWebSearch.AA potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\T8HTML.DLL a variant of Win32/Toolbar.MyWebSearch.F potentially unwanted application C:\FRST\Quarantine\C\Program Files (x86)\MyFunCards_5m\MyFunCards_5m\bar\1.bin\T8TICKER.DLL Win32/Toolbar.MyWebSearch.W potentially unwanted application C:\FRST\Quarantine\C\Users\Ed\AppData\Local\{1C9723C3-5B3D-4F2D-9429-E979AB7863D4}\hmghlgglmd.dll.xBAD a variant of Win32/Kryptik.COUT trojan C:\Users\Beth\Downloads\Player-Chrome (1).exe a variant of Win32/AdWare.iBryte.AC application C:\Users\Beth\Downloads\Player-Chrome.exe a variant of Win32/AdWare.iBryte.AC application C:\Users\Ed\AppData\LocalLow\epspf.dll a variant of MSIL/Injector.FWI trojan C:\Users\Ed\AppData\LocalLow\qelemdx.dll a variant of Win32/Kryptik.COUT trojan C:\Users\Elizabeth\Downloads\Setup.exe a variant of Win32/AdWare.Toolbar.AmyBar.A application C:\Users\house 1\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\79596688-64bc6cfa Java/Exploit.Agent.OZV trojan
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Nov 3, 2014 16:49:37 GMT -8
You may want to read carefully all of this message first before starting the steps.
NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Download the script attached, needs to be the same file name as well (fixlist.txt), have it on the Desktop, so that fixlist.txt is next to FRST64.exe,
DO NOT DRAG AND DROP to download the script, it won't work for FRST (Right click on the attachment link (not the normal left click) and from the menu choose Save As or Save Link as.)
The script tells FRST what to do.
Start FRST that is on the desktop When the tool opens click Yes to disclaimer. (if it still does)
Press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) please post it to your reply (attach or paste)
Quads
|
|
|
Post by boherb on Nov 3, 2014 17:28:29 GMT -8
|
|