I have ochelper.exe and I don’t know what other malware

**Juliet** · October 21, 2014

Also for some reason when I plugged in my ext hard drive it didnt show. I kept clicking COMPUTER to see all the drives. The drive is only a couple years old I think and is a Seagate, so its good quality. Is there some command I can give to make my drive show up on screen so I can then check it out?

Here I am not sure what is happening, would think you could find it and assign a drive number/letter while in device manager but I have no experience with this.

It could be an issue with autorun

http://www.sevenforums.com/tutorials/216706-autoplay-enable-disable.html

http://msdn.microsoft.com/en-us/library/windows/desktop/cc144204(v=vs.85).aspx

After I can get the computer clean I'll send you over to our User to User forum and let the tech guys help you there.

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.

Paste this into the open notepad. save it to the Desktop as fixlist.txt

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

start

CloseProcesses:

C:\Users\Vidya Samson\Desktop\ccsetup410.exe

D:\Local Disk\Data\Drive D\data 2\software\ccsetup310.exe

End

Open FRST/FRST64 and press the Fix button just once and wait.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

~~~~~~~~~~~~~~~~~~~~

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)

There are 6 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Admin

You only need to get one of them to run, not all of them.

rkill.exe
rkill.com
rkill.scr
rkill.pif
WiNlOgOn.exe
uSeRiNiT.exe
~~~~~~~~~~~~~~~~~~~~~~~~~

Please download RogueKiller and save it to your desktop.

You can check here if you're not sure if your computer is 32-bit or 64-bit
Download RogueKiller to your desktop.
Quit all running programs.
For Windows XP, double-click to start.
For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
Read and accept the EULA (End User Licene Agreement)
Click Scan to scan the system.
When the scan completes Close the program > Don't Fix anything!
Don't run any other options, they're not all bad!!
Post back the report which should be located on your desktop.
~~~~~~~~~~~~~~~~~~~~~~~~~~

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

How to use ComboFix

Download ComboFix from here:

Link 1

Link 2

Link 3

Place ComboFix.exe on your Desktop <--Important
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

You can get help on disabling your protection programs here
Double click on ComboFix.exe & follow the prompts.
You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)
Your desktop may go blank. This is normal. It will return when ComboFix is done. Combofix may need to reboot your computer more than once to do its job this is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled.

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

---------------------------------------------------------------------------------------------
If there are Internet issues after running ComboFix:
Internet Explorer:

Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings". Also clear any proxy address and port. ok, apply (only if applicable), ok.

Firefox:

Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. "No Proxy" should be selected, unless you have one set up yourself.

Chrome:

Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.

Safari

Launch Safari

Go to general settings menu

Then in Preferences/ Advanced

Then on line click Proxies change settings ...

Click Internet Options, then click the Connections tab, click Network Settings.

Disable option (uncheck) for the use of proxy server ...
~~~~~~~~~~~~~~~~

Please post

Fixlog.txt

RKill log

RogueKiller

ComboFix log

crossword · October 27, 2014

Hi,

I finally discovered why, when I plugged in my ext hard drive it didn’t show. I was plugging it into the USB ports in front of my desktop tower. They used to work. Now they don’t seem to work for the HD [though the comp is only a year old and I hardly used these ports], so I plugged into the back.

I had saved CCleaner on my ext hard drive too. Can you please write me some code that I can use along with the code you already wrote so I can be sure any malware is deleted from my ext HD too? But I suppose for that you will need to know the exact path of it on HDD and I don’t know how to get that. what do I run for that? earlier I ran ESET but that was a one time thing I was allowed, so I can't run it again to check the HD.

I will run the other programs you told me to.

**Juliet** · October 27, 2014

If you plug in in external while running scans it should be seen and scanned too.

Look in your add/remove programs list and see if this is there

ESET

esetsmartinstaller_enu.exe <--remove/uninstall if you want to run another online scan.

Don't run another online scan please till I can see the results for these

Fixlog.txt

RKill log

RogueKiller

ComboFix log

crossword · October 30, 2014

"If you plug in in external while running scans it should be seen and scanned too.

Look in your add/remove programs list and see if this is there

ESET

esetsmartinstaller_enu.exe <--remove/uninstall if you want to run another online scan."

Yes its there. So if I uninstall it, ESET will allow me to run another online scan even though they specified that the online scan was a ONE time thing only?

The logs:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 06-10-2014

Ran by Vidya Samson at 2014-10-30 18:16:09 Run:5

Running from C:\Users\Vidya Samson\Desktop

Loaded Profile: Vidya Samson (Available profiles: Vidya Samson)

Boot Mode: Normal

==============================================

Content of fixlist:

*****************

start

CloseProcesses:

C:\Users\Vidya Samson\Desktop\ccsetup410.exe

D:\Local Disk\Data\Drive D\data 2\software\ccsetup310.exe

End

*****************

Processes closed successfully.

C:\Users\Vidya Samson\Desktop\ccsetup410.exe => Moved successfully.

D:\Local Disk\Data\Drive D\data 2\software\ccsetup310.exe => Moved successfully.

The system needed a reboot.

==== End of Fixlog ====

Rkill 2.6.8 by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

More Information about Rkill can be found at this link:

http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 10/30/2014 06:20:52 PM in x86 mode.

Windows Version: Windows 8 Enterprise

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

* No issues found.

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* No issues found.

Program finished at: 10/30/2014 06:21:19 PM

Execution time: 0 hours(s), 0 minute(s), and 26 seconds(s)

ComboFix 14-10-29.01 - Vidya Samson 10/30/2014 18:35:34.2.2 - x86

Microsoft Windows 8 Enterprise 6.2.9200.0.1252.1.1033.18.3326.2455 [GMT 5.5:30]

Running from: c:\users\Vidya Samson\Desktop\ComboFix.exe

AV: Quick Heal Total Security 2013 *Disabled/Updated* {D8418B0E-EE80-1320-B172-3D5DEB3CE14F}

AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

FW: Quick Heal Firewall *Enabled* {E07A0A2B-A4EF-1278-9A2D-946815EFA634}

SP: Quick Heal Total Security 2013 *Disabled/Updated* {63206AEA-C8BA-1CAE-8BC2-062F90BBABF2}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\users\Vidya Samson\Desktop\Adware-Removal-Tool-V3.7.exe

.

((((((((((((((((((((((((( Files Created from 2014-09-28 to 2014-10-30 )))))))))))))))))))))))))))))))

.

2014-10-30 13:09 . 2014-10-30 13:09 -------- d-----w- c:\users\Vidya Samson\AppData\Local\temp

2014-10-30 13:09 . 2014-10-30 13:09 -------- d-----w- c:\users\Public\AppData\Local\temp

2014-10-30 13:09 . 2014-10-30 13:09 -------- d-----w- c:\users\Default\AppData\Local\temp

2014-10-20 09:08 . 2014-10-20 09:08 -------- d-----w- c:\users\Vidya Samson\AppData\Local\ElevatedDiagnostics

2014-10-18 01:31 . 2014-10-18 01:31 -------- d-----w- c:\program files\ESET

2014-10-06 05:14 . 2014-10-06 05:14 -------- d-----w- c:\users\Vidya Samson\AppData\Local\PDF24

2014-10-06 05:13 . 2014-10-06 05:14 -------- d-----w- c:\program files\PDF24

2014-10-05 09:57 . 2014-10-05 09:57 -------- d-----w- c:\users\Vidya Samson\AppData\Roaming\PDF Writer

2014-10-05 09:57 . 2014-10-05 09:57 -------- d-----w- c:\users\Vidya Samson\AppData\Local\PDF Writer

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2014-10-07 16:29 . 2014-09-10 01:23 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys

2014-09-28 09:45 . 2014-09-28 09:45 348160 ----a-w- c:\windows\system32\msvcr71.dll

2014-09-28 09:45 . 2014-09-28 09:45 1060864 ----a-w- c:\windows\system32\mfc71.dll

2014-08-18 18:31 . 2014-01-16 07:50 472808 ----a-w- c:\windows\system32\deployJava1.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ShareOverlay]

@="{594D4122-1F87-41E2-96C7-825FB4796516}"

[HKEY_CLASSES_ROOT\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}]

2013-07-21 04:39 592352 ----a-w- c:\program files\Classic Shell\ClassicExplorer32.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Quick Heal Core UI"="c:\program files\Quick Heal\Quick Heal Total Security\strtupap.exe" [2012-08-03 161264]

"eTMonitor"="c:\program files\Aladdin\eToken\PKIClient\x32\PKIMonitor.exe" [2009-11-15 230752]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-08-21 959176]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"PDFPrint"="c:\program files\PDF24\pdf24.exe" [2014-07-04 191528]

.

c:\users\Vidya Samson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE /tsr [2010-1-21 226176]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"PromptOnSecureDesktop"= 0 (0x0)

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"EnableCursorSuppression"= 1 (0x1)

"EnableUIADesktopToggle"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"disablecad"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\QUICKH~1\QUICKH~1\PCTuner\ntdefrag.exe

.

R0 mscank;mscank;c:\windows\system32\DRIVERS\mscank.sys [2012-07-27 33136]

R2 Core Scanning ServerEx;Core Scanning ServerEx;c:\program files\Quick Heal\Quick Heal Total Security\SAPISSVC.EXE [2012-07-27 206320]

R3 llio;llio;c:\windows\system32\DRIVERS\llio.sys [2014-03-27 58728]

S1 ggc;ggc;c:\windows\system32\DRIVERS\ggc.sys [2012-07-27 49904]

S1 wsnf;Network Filter Driver;c:\windows\system32\DRIVERS\wsnf.sys [2012-07-10 38856]

S1 wstif;wstif;c:\windows\system32\drivers\wstif.sys [2012-08-05 68448]

S2 catflt;catflt;c:\windows\system32\DRIVERS\catflt.sys [2014-03-05 45672]

S2 Core Mail Protection;Core Mail Protection;c:\program files\Quick Heal\Quick Heal Total Security\EMLPROXY.EXE [2012-07-27 29680]

S2 Core Scanning Server;Core Scanning Server;c:\program files\Quick Heal\Quick Heal Total Security\SAPISSVC.EXE [2012-07-27 206320]

S2 EMLSS;EMLSS;c:\windows\system32\drivers\emltdi.sys [2012-08-03 29424]

S2 eTSrv;ETOKSRV;c:\program files\Aladdin\eToken\PKIClient\x32\eTSrv.exe [2009-11-15 12640]

S2 Online Protection System;Online Protection System;c:\program files\Quick Heal\Quick Heal Total Security\opssvc.exe [2012-07-27 25584]

S2 Quick Update Service;Quick Update Service;c:\program files\Quick Heal\Quick Heal Total Security\quhlpsvc.exe [2012-07-27 91120]

S3 RTL8168;Realtek 8168 NT Driver;c:\windows\system32\DRIVERS\Rt630x86.sys [2012-07-25 495104]

.

Contents of the 'Scheduled Tasks' folder

.

2014-10-30 c:\windows\Tasks\Quick Heal AntiMalware Scan.job

- c:\program files\Quick Heal\Quick Heal Total Security\ASMAIN.EXE [2012-07-27 20:21]

.

2014-10-30 c:\windows\Tasks\Resume Quickup Download.job

- c:\program files\Quick Heal\Quick Heal Total Security\ACAPPAA.EXE [2012-07-27 15:20]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

mSearch Bar = hxxp://www.google.com

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\users\Vidya Samson\AppData\Roaming\Mozilla\Firefox\Profiles\xjxa2sli.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.zoetrope.com/members/priv/index.cgi?show_page=discuss&owner=14437

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]

@="?????????????????? v1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]

@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]

@="?????????????????? v2"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]

@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

@SACL=(02 0000)

.

Completion time: 2014-10-30 18:40:03

ComboFix-quarantined-files.txt 2014-10-30 13:10

.

Pre-Run: 34,608,132,096 bytes free

Post-Run: 34,568,003,584 bytes free

.

- - End Of File - - 23EFB61E6FFF9AF2916811161F1B1906

A36C5E4F47E84449FF07ED3517B43A31

**Juliet** · October 30, 2014

That came back in good shape.

By chance were you able to run RogueKiller?

I would like to see the log it creates.

crossword · October 30, 2014

yes i did post teh RogueKiller log above too. it seemed to be clean, but now i'm worried cos i know i had saved CCleaner on my ext HDD and that didnt undergo the ESET scan since at that time i had it plugged in the front of teh case. so how do i now scan the ext HDD to get rid of anything? and also, why did some malware attach to CCleaner? is it not safe to download and use? did teh download maybe come attached with malware? if so is there some safer cleaner i can use?

**Juliet** · October 30, 2014

Rkill 2.6.8 by Lawrence Abrams (Grinler)<-- is what you ran.

Here is what I need you to run now.

Please download RogueKiller and save it to your desktop.

You can check here if you're not sure if your computer is 32-bit or 64-bit

Download RogueKiller to your desktop.
Quit all running programs.
For Windows XP, double-click to start.
For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
Read and accept the EULA (End User Licene Agreement)
Click Scan to scan the system.
When the scan completes Close the program > Don't Fix anything!
Don't run any other options, they're not all bad!!
Post back the report which should be located on your desktop.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Yes, I can recommend a different temp file cleaner.

Please Run TFC by OldTimer to clear temporary files:

Download TFC from here http://oldtimer.geekstogo.com/TFC.exe

and save it to your desktop.

Close any open programs and Internet browsers.

Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.

Please be patient as clearing out temp files may take a while.

Once it completes you may be prompted to restart your computer, please do so.

Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

crossword · November 7, 2014

i ran RogueKiller; sorry, I would have done it sooner but was afraid it would wipe out my internet history and i needed to save some stuff first::

RogueKiller V10.0.4.0 [Oct 29 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8 (6.2.9200 ) 32 bits version
Started in : Normal mode
User : Vidya Samson [Administrator]
Mode : Scan -- Date : 11/07/2014 20:52:48

¤¤¤ Processes : 1 ¤¤¤
[Tr.Zeus] SAPISSVC.EXE -- [x] -> Killed [TermProc]

¤¤¤ Registry : 9 ¤¤¤
[PUP] HKEY_CLASSES_ROOT\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3} -> Found
[suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme (\??\C:\Users\VIDYAS~1\AppData\Local\Temp\catchme.sys) -> Found
[suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme (\??\C:\Users\VIDYAS~1\AppData\Local\Temp\catchme.sys) -> Found
[PUM.HomePage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : -> Found
[PUM.SearchPage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : -> Found
[PUM.SearchPage] HKEY_USERS\S-1-5-21-2261785502-2541491869-2394418403-1001\Software\Microsoft\Internet Explorer\Main | Search Page : -> Found
[PUM.SearchPage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : -> Found
[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost

¤¤¤ Antirootkit : 7 (Driver: Loaded) ¤¤¤
[iAT:Addr] (explorer.exe @ KERNELBASE.dll) ext-ms-win-gpapi-grouppolicy-l1-1-0.dll - RegisterGPNotificationInternalWorker : C:\Windows\SYSTEM32\gpapi.dll @ 0x74341dac
[iAT:Addr] (explorer.exe @ combase.dll) ext-ms-win-com-clbcatq-l1-1-0.dll - GetCatalogObject2 : C:\Windows\SYSTEM32\clbcatq.dll @ 0x75382622
[iAT:Addr] (explorer.exe @ combase.dll) ext-ms-win-com-clbcatq-l1-1-0.dll - GetCatalogObject : C:\Windows\SYSTEM32\clbcatq.dll @ 0x75381f51
[iAT:Inl] (explorer.exe @ SHELL32.dll) ntdll.dll - NtQueryLicenseValue : C:\Windows\System32\SLCHook.dll @ 0x710b3b70 (jmp 0xfffffffff980e488)
[iAT:Inl] (explorer.exe @ WINSTA.dll) ntdll.dll - NtQueryLicenseValue : C:\Windows\System32\SLCHook.dll @ 0x710b3b70 (jmp 0xfffffffff980e488)
[iAT:Addr] (firefox.exe @ combase.dll) ext-ms-win-com-clbcatq-l1-1-0.dll - GetCatalogObject2 : C:\Windows\SYSTEM32\clbcatq.dll @ 0x75382622
[iAT:Addr] (firefox.exe @ combase.dll) ext-ms-win-com-clbcatq-l1-1-0.dll - GetCatalogObject : C:\Windows\SYSTEM32\clbcatq.dll @ 0x75381f51

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] xjxa2sli.default : user_pref("browser.startup.homepage", "http://www.zoetrope.com/members/priv/index.cgi?show_page=discuss&owner=14437"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000AZRX-00A8LB0 ATA Device +++++
--- User ---
[MBR] 4c60b75ac5499f737528ec3ec06fd380
[bSP] efa6806e77e4a8092b21dd211a11fc43 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 350 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 718848 | Size: 64650 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 133122048 | Size: 71938 MB
3 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 280451072 | Size: 340000 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Seagate Portable USB Device +++++
--- User ---
[MBR] 2e55e29d1a2e061b3a72ea87510616c3
[bSP] efeadd22efe89143fc9f1ce47f61cffb : Empty MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 250003 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 512007615 | Size: 226933 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

**Juliet** · November 7, 2014

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

In the Registry tab, check the following lines:

[PUP] HKEY_CLASSES_ROOT\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3} -> Found

NEXT**

Click on the WebBrowsers tab.

[PUM.HomePage][FIREFX:Config] xjxa2sli.default : user_pref("browser.startup.homepage", "http://www.zoetrope.com/members/priv/index.cgi?show_page=discuss&owner=14437"); -> Found

And then click on the Delete button.

Reboot

Please post the log it creates.

crossword · November 7, 2014

Will do…zoetrope is the writers site I visit several times a day. Did it give me some infection/malware?

**Juliet** · November 7, 2014

We need to close anything suspicious or alerted to as PUM.HomePage (Possible Unwanted Malware)

crossword · November 8, 2014

You said:

In the Registry tab, check the following lines:

[PUP] HKEY_CLASSES_ROOT\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3} -> Found

But there are some entries below that too. Should I delete ONLY that one or all of them found in Registry?

**Juliet** · November 8, 2014

I believe the other entries will be fine

Please click this one

[PUP] HKEY_CLASSES_ROOT\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3} -> Found

crossword · November 8, 2014

RogueKiller V10.0.4.0 [Oct 29 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8 (6.2.9200 ) 32 bits version
Started in : Normal mode
User : Vidya Samson [Administrator]
Mode : Delete -- Date : 11/08/2014 09:21:48

¤¤¤ Processes : 1 ¤¤¤
[Tr.Zeus] SAPISSVC.EXE -- [x] -> Killed [TermProc]

¤¤¤ Registry : 9 ¤¤¤
[PUP] HKEY_CLASSES_ROOT\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3} -> Deleted
[suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme (\??\C:\Users\VIDYAS~1\AppData\Local\Temp\catchme.sys) -> Not selected
[suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme (\??\C:\Users\VIDYAS~1\AppData\Local\Temp\catchme.sys) -> Not selected
[PUM.HomePage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : -> Not selected
[PUM.HomePage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : -> Not selected
[PUM.SearchPage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : -> Not selected
[PUM.SearchPage] HKEY_USERS\S-1-5-21-2261785502-2541491869-2394418403-1001\Software\Microsoft\Internet Explorer\Main | Search Page : -> Not selected
[PUM.SearchPage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : -> Not selected
[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Not selected

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost

¤¤¤ Antirootkit : 6 (Driver: Loaded) ¤¤¤
[iAT:Addr] (explorer.exe @ combase.dll) ext-ms-win-com-clbcatq-l1-1-0.dll - GetCatalogObject2 : C:\Windows\SYSTEM32\clbcatq.dll @ 0x77132622
[iAT:Addr] (explorer.exe @ combase.dll) ext-ms-win-com-clbcatq-l1-1-0.dll - GetCatalogObject : C:\Windows\SYSTEM32\clbcatq.dll @ 0x77131f51
[iAT:Inl] (explorer.exe @ SHELL32.dll) ntdll.dll - NtQueryLicenseValue : C:\Windows\System32\SLCHook.dll @ 0x71143b70 (jmp 0xfffffffff9f1e488)
[iAT:Inl] (explorer.exe @ WINSTA.dll) ntdll.dll - NtQueryLicenseValue : C:\Windows\System32\SLCHook.dll @ 0x71143b70 (jmp 0xfffffffff9f1e488)
[iAT:Addr] (firefox.exe @ combase.dll) ext-ms-win-com-clbcatq-l1-1-0.dll - GetCatalogObject2 : C:\Windows\SYSTEM32\clbcatq.dll @ 0x77132622
[iAT:Addr] (firefox.exe @ combase.dll) ext-ms-win-com-clbcatq-l1-1-0.dll - GetCatalogObject : C:\Windows\SYSTEM32\clbcatq.dll @ 0x77131f51

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] xjxa2sli.default : user_pref("browser.startup.homepage", "http://www.zoetrope.com/members/priv/index.cgi?show_page=discuss&owner=14437"); -> Replaced (about:home)

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000AZRX-00A8LB0 ATA Device +++++
--- User ---
[MBR] 4c60b75ac5499f737528ec3ec06fd380
[bSP] efa6806e77e4a8092b21dd211a11fc43 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 350 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 718848 | Size: 64650 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 133122048 | Size: 71938 MB
3 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 280451072 | Size: 340000 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Seagate Portable USB Device +++++
--- User ---
[MBR] 2e55e29d1a2e061b3a72ea87510616c3
[bSP] efeadd22efe89143fc9f1ce47f61cffb : Empty MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 250003 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 512007615 | Size: 226933 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

============================================
RKreport_SCN_11072014_205248.log - RKreport_SCN_11082014_053033.log

**Juliet** · November 8, 2014

Please give me an update on how the computer is performing now.

crossword · November 8, 2014

Computer seems to be working ok. But now as I said before i'm worried cos i know i had saved CCleaner on my ext HDD and that didnt undergo the ESET scan since at that time i had it plugged in the front of teh case and it didn’t show up.

Sounds like now my computer is clean? But I fear not my ext HDD. Apart from CCleaner it may have other malware.

so how do i now scan the ext HDD to get rid of anything?

Do tools like FARBAR, AdwareRemoval, Malware Bytes also scan the ext HDD? If so should I run them all?

Did RogueKiller scan it? I did have the HDD plugged in when I ran it.

**Juliet** · November 8, 2014

Scanners will scan an external drive when instructed to.

There are other options you can try.

locate the drive used by your external, via My Computer, then right clicking it and selecting Scan [with your antivirus software].

~~~~~~~~~~~

Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives
mcshield%20unhide.JPG
Plug in the drive and McShield will start a scan

Then get the log which will be here :

Start > all programs > MCShield > logs > all scans

~~~~~~~~~~~~~~~`

crossword · November 8, 2014

went to

http://www.mcshield.net/downloads.html

got this message:

Not Found

The requested URL /downloads.html was not found on this server.

***

Earlier you had suggested ESET and Emisoft to me. I googled and they seem to be among the most highly recommended. Though I don’t know if I can run eset again since it was a one time scan.

**Juliet** · November 8, 2014

went to

http://www.mcshield.net/downloads.html

got this message:

Not Found

The requested URL /downloads.html was not found on this server.

***

Earlier you had suggested ESET and Emisoft to me. I googled and they seem to be among the most highly recommended. Though I dont know if I can run eset again since it was a one time scan.

I am so sorry, did not realize the url had changed.

MCShield Anti-Malware USB Tool

* MSChield Documentation & Program Features

Download MCShield Anti-Malware USB Tool to your desktop and install

It will initially run a scan and show the result as a toaster by the system clock

Then in the control centre select scanner and tick unhide items on flash drives

mcshield%20unhide.JPG

Plug in the drive and McShield will start a scan

Then get the log which will be here :

Start > all programs > MCShield > logs > all scans

************

You can try Eset again to see if it will allow you to run another online scans, if not I have other online scans we can use.

The below is a good scanner, give it a try.

Download EmsisoftEmergencyKit, run the exe and extract the content in a folder of your choice like (C:\EEK) by clicking the Extract button.
Double-click the desktop-shortcut called Start Emsisoft Emergency Kit to start the tool.
Click on the "Yes" button when asked to obtain the latest malware definitions.
Once the update is complete click "Scan".
Click on the "Yes" button when asked to enable the scan for Potentially Unwanted Applications.
Next click on the Full Scan. When the scan complete, click on the View Report button.
Please copy and paste the content of the report in your next reply.

crossword · November 8, 2014

Ok. Should I run BOTH mcshield and Emisoft or will one or the other do?

Which is the best FREE scanner that I can download to my comp and use regularly? Emisoft seems to be for malware, so I assume its not really an anti virus. I had googled days ago and studied a couple of discussions that compared various AVs and anti malware tools. Everyone has their own opinion but some agreed ESEt gave too many false positives and so did some others.

**Juliet** · November 9, 2014

You can run BOTH mcshield and Emisoft.

McShield is specific for scanning USB devices (make sure it's plugged in), Emisoft is for and malware(free) acts as an additional on-demand scanner, and can be used in conjunction with your Anti-Virus as is Malwarebytes' Anti-Malware.

It is advised to use 1 antimalware scanner with 1 Antivirus, running more then that on your computer would present multiple issues.

As for which free versus paid for Antivirus I have to leave this up to you but, I've always stayed with a free version, that use less resources and consumes less time in updating. This is my personal opinion and also with free versions of Antivirus, firewall is not included. Edited November 9, 2014 by Juliet

crossword · November 9, 2014

Since I already have Malwarebytes' Anti-Malware, can I use that instead of Emisoft to scan my HDd for malware?

"It is advised to use 1 antimalware scanner with 1 Antivirus, running more then that on your computer would present multiple issues."

Yes I read that but also read that you can store various on demand malware scanners in your comp as long as you have only one Av [and maybe one malware scanner?] running in real time.

This time I ran various things like:

Farbar

RKill

RogueKiller

ComboFix

Can I run all these every month or so when I clean my comp and check for viruses and malware?

Or should I stick to any Av like Avast and then Malwarebytes and trust these 2 to keep the comp safe?

You warned me not to delete anything RogueKiller showed. Would it have harmed my computer if I had just deleted everthing it showed as suspicious? Do I always have to run it by a malware expert before I delete anything RogueKiller shows?

**Juliet** · November 9, 2014

Since I already have Malwarebytes' Anti-Malware, can I use that instead of Emisoft to scan my HDd for malware?

Yes

Some like to run the different malware scanners to see if one can pick up on what the other might not have found.

Will not hurt to run both but you do not want either set to auto-updates. This is usually applied when you buy the Pro versions.

This time I ran various things like:

Farbar

RKill

RogueKiller

ComboFix

Can I run all these every month or so when I clean my comp and check for viruses and malware?

No.

These tools post findings good or bad and if your not trained to spot the difference between the two you'll possibly delete or quarantine something that should not be tampered with.

These tools or very few do not have auto-update so you wouldn't have an up to date version which can cause issues and myself would not want anything done on my computer that I was unsure of.

And, if one threw out an error without having access to the developers forum you would have no idea what to do.

Thats why they can also be called dangerous in the hands of the untrained.

Or should I stick to any Av like Avast and then Malwarebytes and trust these 2 to keep the comp safe?

These 2 tools are good used together and I can also supply a list of other tools that when on the computer also help protect against infection. Will be post in my closing Prevention Tips.

You warned me not to delete anything RogueKiller showed. Would it have harmed my computer if I had just deleted everthing it showed as suspicious? Do I always have to run it by a malware expert before I delete anything RogueKiller shows?

Many of the items found were ok. RogueKiller checks specific areas of a computer malware likes to hide in and it will post/show us but it's not always infected.

If those areas are infected it would show the malicious file extensions too.

If a computer is having internet connection problems and clicking to remove items detailing IP addresses can prevent the machine from connecting back.

By clicking on remove mainly resets to default but, it's not a necessary action.

Please don't attempt to doing any of this by yourself. I strongly recommend against it.

Are we ready to remove tools and quarantine folders and me post preventive tips?

crossword · November 12, 2014

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 11/12/2014
Scan Time: 7:58:55 AM
Logfile: malware log.txt
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.11.12.02
Rootkit Database: v2014.11.11.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8
CPU: x86
File System: NTFS
User: Vidya Samson

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 309957
Time Elapsed: 9 min, 45 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Warn

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 2
Trojan.Agent, c:\Users\Default\AppData\Roaming\skype.dat, , [3e4709311d5f64d2defd471bdb29639d],
Trojan.Agent, c:\Users\Vidya Samson\AppData\Roaming\skype.dat, , [473ec971a4d89f978556a8ba62a2e719],

Physical Sectors: 0
(No malicious items detected)

(end)

>>> MCShield AllScans.txt <<<

-----------------------------

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2014.11.5.1 / Windows 8 <<<

11/12/2014 7:02:53 AM > Drive C: - scan started (no label ~63 GB, NTFS HDD )...

=> The drive is clean.

11/12/2014 7:02:53 AM > Drive D: - scan started (OTHER ~146 GB, NTFS HDD )...

=> The drive is clean.

11/12/2014 7:02:54 AM > Drive E: - scan started (DATA ~186 GB, NTFS HDD )...

=> The drive is clean.

11/12/2014 7:02:54 AM > Drive F: - scan started (no label ~70 GB, NTFS HDD )...

=> The drive is clean.

11/12/2014 7:02:59 AM > Drive H: - scan started (no label ~244 GB, NTFS HDD )...

=> The drive is clean.

11/12/2014 7:02:59 AM > Drive I: - scan started (no label ~222 GB, NTFS HDD )...

=> The drive is clean.

**Juliet** · November 12, 2014

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
```
:folderfind
skype
:filefind
skype
:regfind
skype
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

About quickheal

They use some sort of "blocklist" with filenames in it in order to prevent the creation of it. (as some sort of pro-active defense)

So during a malwarebytes scan, enumerating the rules probably triggers some sort of action in Quickheal (some sort of lock/access denied), so mbam acts upon that and treats /sees this as the file being present.

When Quickheal see MBAM scanning these errors it denies MBAM access, then throws out the alert it has acted as Skype.dat
Download EmsisoftEmergencyKit, run the exe and extract the content in a folder of your choice like (C:\EEK) by clicking the Extract button.
Double-click the desktop-shortcut called Start Emsisoft Emergency Kit to start the tool.
Click on the "Yes" button when asked to obtain the latest malware definitions.
Once the update is complete click "Scan".
Click on the "Yes" button when asked to enable the scan for Potentially Unwanted Applications.
Next click on the Full Scan. When the scan complete, click on the View Report button.
Please copy and paste the content of the report in your next reply.

Sign In

Change Mode

I have ochelper.exe and I don’t know what other malware

Recommended Posts

Link to comment

Share on other sites

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites