My computer is sending out spam and there is nothing I can do to stop it!

Viruses and worms
41

Thank you for getting back to me, Valinorum. I actually said I did not try the tools in Safe Mode. I probably should have known to do that but when Pondus suggested downloading FRST and it crashed my computer twice, you said to forget FRST for now and suggested some other things without saying to do them in Safe Mode.

So the question now is should I download and run FRST in Safe Mode with networking as a first step? Or should I run the chkdsk command first, and should I do that in safe mode? I don’t know what the syntax f/code means, but I did run chkdsk on restart and found lots of old corrupted files. Would that log be useful?

42

Syntax /f switch means PC will try to fix the errors it found. Yes, attach the logs and run FRST in Safe Mode.

43

Thank you! I presume I run the command from a C: prompt? I will attach the previous log. But since I didn’t use the f switch should I do it again, before FRST?

44

Try to get logs from FRST first.

45

Not sure if this is the right log for the chkdsk I ran on March 6. It is not what I read from the onscreen results when it was finished. I found this in Event Viewer.

I will do FRST next and post the log when done.

46

Oh no. I booted into safe mode with networking, but I have no internet connection to download FRST.

47

Not sure why I couldn’t get an internet connection in Safe Mode with Networking, but I was able to download and run FRST in regular mode this time. No crashes. Here are the two logs.

Also upgraded to Malwarebytes premium, and am attaching that log as well. It quarantined a PUP. Not sure if that is why I could download FRST, but can’t think of anything else I did differently.

48

Here’s the FRST log.

I hope this helps diagnose the problem/s I’ve been having with sending out spam and also Windows Explorer crashes.

49

[*]Step # Fix with AdwCleaner
[*]Download AdwCleaner by Xplode to your Desktop from the following link.
[list][]Download Link #1
[]Download Link #2
[*]Right-click on AdwCleaner.exe and choose Run as administrator;
[*]Click on Option and put a tick mark on everything;
[*]Click on Scan and let the program run unhindered;
[*]When done, click on Clean and allow the system to reboot after it is done;
[*]A log will be opened automatically after the restart. If not, it is located in C:\AdwCleaner\AdwCleaner[CX].txt, where X is replaced with a number;
[*]Copy and Paste the contents of this log in your reply.[/list]

50

OK, done. Here is the log. Can you tell me what it means?

AdwCleaner v5.105 - Logfile created 21/03/2016 at 21:43:30

Updated 21/03/2016 by Xplode

Database : 2016-03-21.3 [Local]

Operating system : Windows Vista ™ Home Premium Service Pack 2 (x86)

Username : Wendy - WENDY-PC

Running from : C:\Users\Wendy\Desktop\AdwCleaner.exe

Option : Clean

Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

[-] Folder Deleted : C:\Program Files\Yahoo!\Companion
[-] Folder Deleted : C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi

***** [ Files ] *****

[-] File Deleted : C:\ProgramData\XRuntime.dll.log
[-] File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk

***** [ DLLs ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\speedupmypc
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID{02478D38-C3F9-4EFB-9B51-7695ECA05670}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID{EF99BD32-C1FB-11D2-892F-0090271D4F88}
[-] Key Deleted : HKCU\Software\APN PIP
[-] Key Deleted : HKCU\Software\YahooPartnerToolbar
[-] Key Deleted : HKCU\Software\AppDataLow\Software\Yahoo\Companion
[-] Key Deleted : HKLM\SOFTWARE\Uniblue
[-] Key Deleted : HKLM\SOFTWARE\Yahoo\Companion
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{8DBC5A0A-31C4-46C7-B252-6B593EA11A87}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache{8DBC5A0A-31C4-46C7-B252-6B593EA11A87}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\MyPC Backup
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes{E4AC4DBE-7EC7-4F1F-8D02-92E74A6C2B00}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{E4AC4DBE-7EC7-4F1F-8D02-92E74A6C2B00}

***** [ Web browsers ] *****

[-] [C:\Users\Wendy\AppData\Roaming\Mozilla\Firefox\Profiles\61polcqp.default\prefs.js] [Preference] Deleted : user_pref(“avg.toolbar.buttons_icon”, “,chrome://avg/skin/safesurf.png,chrome://avg/skin/safesurf.png,chrome://avg/skin/safesearch.png,chrome://avg/skin/avglinks.png,chrome://avg/skin/avglinks.png,”)[…]
[-] [C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
[-] [C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : mcbkbpnkkkipelfledbfocopglifcfmi

:: “Tracing” keys removed
:: Proxy settings cleared
:: Winsock settings cleared
:: TCP/IP settings cleared
:: Firewall settings cleared
:: IPSec settings cleared
:: BITS queue cleared
:: IE policies deleted
:: Chrome policies deleted

C:\AdwCleaner\AdwCleaner[C1].txt - [2837 bytes] - [21/03/2016 21:43:30]
C:\AdwCleaner\AdwCleaner[S1].txt - [3323 bytes] - [21/03/2016 21:09:54]
C:\AdwCleaner\AdwCleaner[S2].txt - [3395 bytes] - [21/03/2016 21:39:28]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [3056 bytes] ##########

51
OK, done. Here is the log. Can you tell me what it means?
It removed the Adwares from your PC. Please, post a fresh FRST scan log for my perusal.
52

Logs attached, thanks.

By the way, aVast found and isolated a couple of threats since I’ve been working with you. I don’t know how relevant they are, but there was a PUP of low severity on March 11, and today a WIN32: Evo-gen medium severity threat in a very old dll file. Not sure how these get discovered every now and then. Do viruses wander around and attach themselves in weird places? Or does aVast suddenly become aware of them after a period of many years?

Another question: I have two back-up hard drives, one internal and one external. Should I be running these scans on those drives as well?

53

And here is the FRST.txt. I don’t know why they didn’t both attach before.

54

Uninstall HiJackThis. Are you connected via router?

I have two back-up hard drives, one internal and one external. Should I be running these scans on those drives as well?
You can scan with your AV after I check your main drive.

[*]Step #1 Fix with FRST
Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
[*]Open Notepad.exe. Do not use any other text editor software;
[*]Copy and Paste the contents inside the code-box to your Notepad

Start
CreateRestorePoint:
CloseProcesses:
EmptyTemp:
Hosts:
HKLM\...\Run: [] => [X]
HKU\S-1-5-21-187910230-99387831-1267207836-1001\...\MountPoints2: M - M:\Setupx.exe
HKU\S-1-5-21-187910230-99387831-1267207836-1001\...\MountPoints2: {39611f1b-a169-11df-9e1f-001a92996cfe} - G:\Connect.exe
HKU\S-1-5-21-187910230-99387831-1267207836-1001\...\MountPoints2: {83c60d50-1b05-11dd-9c54-806e6f6e6963} - F:\start.exe
FF user.js: detected! => C:\Users\Wendy\AppData\Roaming\Mozilla\Firefox\Profiles\61polcqp.default\user.js [2010-10-15]
C:\ProgramData\ReturnCounter2008.dat

End

[*]Click on File > Save as…
[list][*]Inside the File Name box type fixlist.txt
[*]From the Save as type drop down list, choose All Files
[*]Save the file to your Desktop;
[*]Re-run FRST.exe and click Fix;
[*]Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.[]After the completion, a log will be produced;
[]Attach the log in your next reply.[/list]

55

HiJack This uninstalled.
I am connected via router from my desktop computer which is where the problems are. I use WiFi on my laptop, phone, iPad, TV and printer.

Log attached.

56

UPDATE: 14th batch of spam went out this morning. Last one was March 3. I guess there’s still some cleaning to do. Not only that, I had to do another safe Mode System Restore because the computer was being unresponsive.

57

If you used system restore to a date prior to my fix, the fix would render useless. I counsel you to apply the fix again and reset your router afterward.

58

I don’t understand, Valinorum. I thought you were still working on a fix, so I don’t know what fix, or date, you are referring to. I would be happy to apply it again, but could you tell me what I need to do? What were the results of the last log I posted? Also, would you mind telling me how to reset my router?

Around the same time that I gave you the last update, a new version of MalwareBytes became available, but I ended up having to do a clean uninstall and redownload it. Now it won’t update properly. I’m sure this is all related. I was going to post in their forum, but thought I’d better wait until we are done here.

Thank you for your time and help.

59

If you apply System Restore after FRST fix, the System Restore option will restore anything that was fixed. Which brand of router are you using?

60

I’m using a Linksys 5G router.

So, I should follow the directions from March 23: “Step #1 Fix with FRST” again? You never commented between my last FRST log post and the problems I started having with Malwarebytes, so I wasn’t sure if I was rid of the malware, or if it was a system problem. At this point I don’t remember what restore point I used.

So, if I continue having problems with Malwarebytes AFTER I do the FRST fix, and do a clean uninstall of Malwarebytes, then what? That’s what happened before.