Hi helpful community. I´ve been infected :-[
Attached is my scan log…
downloading farbar now.
any help is much appreciated.
Hi helpful community. I´ve been infected :-[
Attached is my scan log…
downloading farbar now.
any help is much appreciated.
Monitoring …
Please make sure you post both logs from FRST. Also, if this came from a USB drive please run the MCShield scanner and post that log also.
would the potentially infected usb drive need to be inserted for that? please excuse my technological incompetence
FRST logs
ok. I figured it was with the usb inserted. It shows some malware, so I´m assuming I got it from using the usb at a public printing shop.
I ran the aswmbr. The first time, windows stopped it. The second time it crashed the machine. Should I try again?
No, do not run aswMBR.exe again. I will return shortly with scripts for you. Thank you.
Open notepad by pressing the Windows Key + R Key, typing in Notepad in the Run dialog and then pressing Enter. Please copy the contents of the Code box below. To do this highlight the contents of the box by clicking [Select] next to Code: , then right click on any of the highlighted text and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt
Start
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-1267189176-3519189978-1013576074-1000\...\MountPoints2: {c4c2c1d3-31a9-11e5-8b2a-60eb698194e0} - E:\KODAK_Camera_Setup_App.exe
HKU\S-1-5-21-1267189176-3519189978-1013576074-1000\...\MountPoints2: {c7796f03-2cf2-11e5-901a-60eb698194e0} - F:\KODAK_Camera_Setup_App.exe
HKU\S-1-5-21-1267189176-3519189978-1013576074-1000\...\MountPoints2: {ddb0e58f-35a2-11e5-8ee5-60eb698194e0} - E:\iLinker.exe
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
2015-11-11 23:01 - 2015-11-11 23:13 - 00000000 ____D C:\c2f1603a38255befb3df3f
2015-07-11 13:08 - 2015-07-11 13:08 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2015-07-15 04:13 - 2015-06-15 16:42 - 71933568 ___SH () C:\ProgramData\msmeb.exe
C:\Users\Foster\AppData\Local\Temp\cdo2651199875.dll
C:\Users\Foster\AppData\Local\Temp\DriverDetective.exe
C:\Users\Foster\AppData\Local\Temp\MSETUP4.EXE
C:\Users\Foster\AppData\Local\Temp\scpDD38.tmp.exe
C:\Users\Foster\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Foster\AppData\Local\Temp\uninstall.exe
Task: {3A1A4ADF-E059-4643-B1DF-0B46B35573B9} - System32\Tasks\{68131B52-030D-4476-A90F-48DD8AE640A4} => pcalua.exe -a "C:\Users\Foster\AppData\Local\Temp\Temp1_CardReader_Alcor_1.0.12.50_W7x86W7x64_A.zip\Card Reader_Alcor_1.0.12.50_Win7x86x64\instmsia.exe"
Task: {FA874078-6577-460E-A450-4E0D58926198} - System32\Tasks\{9E501819-46C8-49B4-BF10-3B5B644FA789} => Chrome.exe hxxp://ui.skype.com/ui/0/7.12.80.101/en/go/help.faq.installer?LastError=1603
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end
NOTE. It’s important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Run FRST64 by right clicking on the FRST64.exe file, selecting “Run as Administrator…”. The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.
The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on. Press the Fix button just once and wait. The tool will create a restore point, process the script and ask for a restart of your system.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply post. Also, tell me how your system is running now.
Thank you so much. I apologize that I have to leave for the jungle right now (we work near the Panama-Colombian border) and don´t have time to apply the fix. We return in 8 to 10 days, and I will try the fix and post the results as soon as we return. Thanks again.
We will be here when you get back. Have a safe trip …
The pop did not come up since returning (prior to running the fix). Attached is the fixlog.
Glad you are back and that the problem seems to be fixed now. If everything is running well, let’s get the tools off the system and you on your way …
Clean up of Malware Removal Tools
Now that we are through using these tools, let’s clean them off your system so that should you ever need to have malware removed again (we hope not) fresh, updated copies will be downloaded.
[]Download Delfix from here to your desktop and double click it to start the program
[*]Ensure Remove disinfection tools is ticked
Also tick:
[]Activate UAC
[]Create registry backup
[]Purge system restore
[*]Reset system settings
http://i1351.photobucket.com/albums/p785/dbreeze2/just%20stuff/DelFixSelectall_zps0f04cec4.png
[*]Click Run
[*]The program will run for a few moments and then notepad will open with a log. Note: Please save this log first before rebooting your system (if asked to); DelFix does not save the log as it is trying to remove all traces of our work on your system. Please attach the log in your next reply.
You can delete any log files left on your desktop as these are no longer needed.
Great!
Can you recommend the tools I should have installed to minimize the risk of future infections?
Sure >>>>
Avast (you already have this)
MalwareBytes Anti-Malware (scan at least once a week)
MCShield (free scanner / AV only for USB drives) -
https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG
- Plug in the drive and McShield will start a scan