Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I got infected with mail.ru

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

I got infected with mail.ru

Unread postby nguyenphilan555 » September 22nd, 2015, 2:36 am

each time my laptop startup, a website will automatically open with Opera (as my default broswer), the website is hxxp://ognime.ru , when I use Combofix, I found this uStart Page = hxxp://mail.ru/cnt/10445?gp=blackbear16
Can you guys help me, i will be really appreciate :D
Here's the log too:
DDS.txt:
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 11.45.2
Run by Administrator at 13:27:28 on 2015-09-22
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3033.1783 [GMT 7:00]
.
AV: Kaspersky Internet Security *Disabled/Updated* {B41C7598-35F6-4D89-7D0E-7ADE69B4047B}
SP: Kaspersky Internet Security *Disabled/Updated* {0F7D947C-13CC-4207-47BE-41AC12334EC6}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Kaspersky Internet Security *Disabled* {8C27F4BD-7F99-4CD1-5651-D3EB97674300}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\avp.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\avpui.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Condusiv Technologies\Diskeeper\DkService.exe
C:\Program Files\Opera\32.0.1948.25\opera.exe
C:\Program Files\Opera\32.0.1948.25\opera.exe
C:\Program Files\Opera\32.0.1948.25\opera.exe
C:\Program Files\Opera\32.0.1948.25\opera.exe
C:\Program Files\Opera\32.0.1948.25\opera.exe
C:\Program Files\Opera\32.0.1948.25\opera.exe
C:\Program Files\Opera\32.0.1948.25\opera.exe
C:\Program Files\Opera\32.0.1948.25\opera.exe
C:\Program Files\Unikey\UniKeyNT.exe
C:\Program Files\Opera\32.0.1948.25\opera.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
BHO: IDM integration (IDMIEHlprObj Class): {0055C089-8582-441B-A0BF-17B458C2A3A8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.8.0_45\bin\ssv.dll
BHO: Logitech SetPoint: {AF949550-9094-4807-95EC-D1C317803333} - c:\program files\logitech\setpointp\SetPointSmooth.dll
BHO: Kaspersky Protection plugin: {C66D064F-82FE-4E1A-B06A-B2490BA48B18} - c:\program files\kaspersky lab\kaspersky internet security 16.0.0\ieext\ie_plugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre1.8.0_45\bin\jp2ssv.dll
TB: Kaspersky Protection toolbar: {3507FA00-ADA2-4A02-99B9-51AD26CA9120} - c:\program files\kaspersky lab\kaspersky internet security 16.0.0\ieext\ie_plugin.dll
uRun: [UniKey] c:\program files\unikey\UniKeyNT.exe
uRun: [CocCoc Update] "c:\users\administrator\appdata\local\coccoc\update\CocCocUpdate.exe" /c
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
uRun: [GarenaPlus] "c:\program files\garena plus\GarenaMessenger.exe" -autolaunch
uRun: [kmhlalccdh] explorer "http://ognime.ru/?utm_source=uoua03&utm_content=e22e2a5a38751ffac5cc67397623ef78&utm_term=3EB97C0F4B708ED106BB021F3BCBB9CA"
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE -startup
mRun: [cFosSpeed] c:\program files\cfosspeed\cFosSpeed.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
uPolicies-Explorer: NoResolveTrack = dword:1
uPolicies-Explorer: NoDriveTypeAutoRun = dword:181
uPolicies-Explorer: NoAutorun = dword:1
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:28
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
TCP: NameServer = 203.113.188.1 203.113.131.3
TCP: Interfaces\{4B8BA9AE-CA21-440C-8A9B-1C4BA1214B46} : DHCPNameServer = 203.113.188.1 203.113.131.3
TCP: Interfaces\{E991288B-B486-42BB-A5DE-61FF6E8170A3} : NameServer = 203.113.188.1,203.113.131.3
TCP: Interfaces\{FF9418DD-45EC-4151-8B0D-406406F55EC0} : DHCPNameServer = 203.113.188.1 203.113.131.3
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WebCheck - <orphaned>
.
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\8rw29h3n.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:home
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\garena plus\bbtalk\plugins\npplugin\npGarenaTalkPlugin.dll
FF - plugin: c:\program files\java\jre1.8.0_45\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre1.8.0_45\bin\plugin2\npjp2.dll
FF - plugin: c:\users\administrator\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_18_0_0_232.dll
.
============= SERVICES / DRIVERS ===============
.
R0 cm_km;Kaspersky Lab ZAO Cryptographic Module x86 (Weak);c:\windows\system32\drivers\cm_km.sys [2015-7-6 201912]
R0 DKDFM;Device Filter Manager Driver;c:\windows\system32\drivers\DKDFM.sys [2015-9-20 35600]
R0 DKTLFSMF;Telemetry File System Mini Filter Driver;c:\windows\system32\drivers\DKTLFSMF.sys [2015-9-20 94448]
R0 klbackupdisk;Kaspersky Lab klbackupdisk;c:\windows\system32\drivers\klbackupdisk.sys [2015-6-6 46776]
R0 LHDmgr;LHDmgr;c:\windows\system32\drivers\LhdX86.sys [2010-1-15 32352]
R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\ElRawDsk.sys [2015-2-21 20392]
R1 klbackupflt;Kaspersky Lab klbackupflt;c:\windows\system32\drivers\klbackupflt.sys [2015-6-27 58224]
R1 klhk;Kaspersky Lab service driver;c:\windows\system32\drivers\klhk.sys [2015-9-17 44728]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2015-6-11 33976]
R1 klpd;Kaspersky Lab format recognizer driver;c:\windows\system32\drivers\klpd.sys [2015-6-8 28344]
R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [2015-6-11 54328]
R1 Klwtp;Klwtp;c:\windows\system32\drivers\klwtp.sys [2015-6-16 87736]
R1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [2015-6-23 156856]
R1 RawDisk3;RawDisk3;c:\windows\system32\drivers\rawdsk3.sys [2015-2-22 28256]
R2 AVP16.0.0;Kaspersky Anti-Virus Service 16.0.0;c:\program files\kaspersky lab\kaspersky internet security 16.0.0\avp.exe [2015-7-9 194000]
R2 BstHdDrv;BlueStacks Hypervisor;c:\program files\bluestacks\HD-Hypervisor-x86.sys [2015-5-28 131704]
R2 IDMWFP;IDMWFP;c:\windows\system32\drivers\idmwfp.sys [2015-4-2 122432]
R2 kldisk;kldisk;c:\windows\system32\drivers\kldisk.sys [2015-6-6 58040]
R2 PDFsFilter;PDFsFilter;c:\windows\system32\drivers\PDFsFilter.sys [2015-2-21 69016]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [2011-12-15 24672]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2014-10-10 368168]
R3 DKRtWrt;DKRtWrt;c:\windows\system32\drivers\DKRtWrt.sys [2015-9-20 45712]
R3 klflt;Kaspersky Lab Kernel DLL;c:\windows\system32\drivers\klflt.sys [2015-9-17 136888]
R3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [2015-6-6 37048]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2015-6-7 38072]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2015-9-21 23256]
S2 AIPS;Arp Intelligent Protection Service;c:\program files\netcut\services\aips.exe [2015-3-14 262144]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2012-7-9 104912]
S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2015-2-21 4702920]
S2 MBAMService;MBAMService;c:\program files\malwarebytes anti-malware\mbamservice.exe [2015-9-21 1133880]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2015-2-18 315488]
S3 BstHdAndroidSvc;BlueStacks Android Service;c:\program files\bluestacks\HD-Service.exe [2015-5-28 433784]
S3 BstHdLogRotatorSvc;BlueStacks Log Rotator Service;c:\program files\bluestacks\HD-LogRotatorService.exe [2015-5-28 413304]
S3 BstHdUpdaterSvc;BlueStacks Updater Service;c:\program files\bluestacks\HD-UpdaterService.exe [2015-5-28 831096]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 62464]
S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2015-9-21 51928]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-21 15872]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2015-2-22 27192]
S3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [2010-11-21 77184]
S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 25600]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-21 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 27264]
S3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 112640]
S3 vm3dmp;vm3dmp;c:\windows\system32\drivers\vm3dmp.sys [2011-11-13 108144]
S3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [2011-11-13 11440]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-3-16 1343400]
S4 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes anti-malware\mbamscheduler.exe [2015-9-21 1871160]
.
=============== File Associations ===============
.
ShellExec: opera.exe: open="c:\program files\opera\Launcher.exe" "%1"
.
=============== Created Last 30 ================
.
2015-09-22 05:55:09 -------- d-----w- C:\AdwCleaner
2015-09-21 16:30:29 98520 ----a-w- c:\windows\system32\drivers\07581D00.sys
2015-09-20 18:39:52 -------- d-sh--w- C:\$RECYCLE.BIN
2015-09-20 18:29:28 98816 ----a-w- c:\windows\sed.exe
2015-09-20 18:29:28 256000 ----a-w- c:\windows\PEV.exe
2015-09-20 18:29:28 208896 ----a-w- c:\windows\MBR.exe
2015-09-20 18:29:17 -------- d-----w- C:\ComboFix
2015-09-20 17:47:41 -------- d-----w- C:\FRST
2015-09-20 17:07:54 98520 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-09-20 17:07:43 94936 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2015-09-20 17:07:43 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2015-09-20 17:07:43 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2015-09-20 17:07:43 -------- d-----w- c:\programdata\Malwarebytes
2015-09-20 17:07:43 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2015-09-20 12:18:39 -------- d-----w- c:\users\administrator\appdata\local\CrashDumps
2015-09-20 12:14:54 -------- d-----w- c:\users\administrator\appdata\roaming\Condusiv_Technologies
2015-09-20 12:14:54 -------- d-----w- c:\users\administrator\appdata\local\Condusiv_Technologies
2015-09-20 12:05:34 94448 ----a-w- c:\windows\system32\drivers\DKTLFSMF.sys
2015-09-20 12:05:34 45712 ----a-w- c:\windows\system32\drivers\DKRtWrt.sys
2015-09-20 12:05:33 35600 ----a-w- c:\windows\system32\drivers\DKDFM.sys
2015-09-20 12:05:27 -------- d-----w- c:\program files\common files\Diskeeper Corporation
2015-09-20 12:05:26 -------- d-----w- c:\programdata\Condusiv Technologies
2015-09-20 12:05:26 -------- d-----w- c:\program files\Condusiv Technologies
2015-09-17 16:46:13 -------- d-----w- c:\windows\ELAMBKUP
2015-09-17 16:46:11 -------- d-----w- c:\programdata\Kaspersky Lab
2015-09-17 16:46:11 -------- d-----w- c:\program files\Kaspersky Lab
2015-09-17 16:45:59 44728 ----a-w- c:\windows\system32\drivers\klhk.sys
2015-09-17 16:45:59 136888 ----a-w- c:\windows\system32\drivers\klflt.sys
2015-09-12 16:48:26 -------- d-----w- c:\users\administrator\appdata\local\Betternet Updater
2015-09-06 14:50:49 -------- d-----w- c:\users\administrator\appdata\roaming\CUE Tools
2015-09-06 14:44:04 -------- d-----w- c:\users\administrator\appdata\roaming\Faasoft Audio Converter
.
==================== Find3M ====================
.
2015-09-19 12:22:43 778440 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2015-09-19 12:22:43 142536 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2015-07-05 17:10:20 201912 ----a-w- c:\windows\system32\drivers\cm_km.sys
2015-07-05 11:23:32 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2015-07-05 11:23:32 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2015-06-30 08:18:57 32832 ----a-w- c:\windows\system32\rnd_chunk.bin
2015-06-29 14:28:19 96352 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2015-06-26 18:30:00 58224 ----a-w- c:\windows\system32\drivers\klbackupflt.sys
.
============= FINISH: 13:28:11.23 ===============

Here the attach.txt:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 10/10/2014 11:13:52 PM
System Uptime: 9/22/2015 1:14:23 PM (0 hours ago)
.
Motherboard: LENOVO | | JIWA1
Processor: Pentium(R) Dual-Core CPU T4400 @ 2.20GHz | U2E1 | 2200/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 91 GiB total, 68.218 GiB free.
D: is FIXED (NTFS) - 58 GiB total, 33.782 GiB free.
E: is CDROM ()
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e97d-e325-11ce-bfc1-08002be10318}
Description: File as Volume Driver
Device ID: ROOT\BLBDRIVE\0000
Manufacturer: Microsoft
Name: File as Volume Driver
PNP Device ID: ROOT\BLBDRIVE\0000
Service: blbdrive
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
µTorrent
Adobe Flash Player 11 ActiveX
Adobe Flash Player 18 NPAPI
Adobe Flash Player 18 PPAPI
Audacity 2.1.0
AVS Audio Editor 7.3
BlueStacks App Player
BlueStacks Notification Center
C?c C?c
Call of Duty(R) 4 - Modern Warfare(TM)
cFosSpeed v10.04
Cheat Engine 6.4
Diskeeper 15
Energy Management
eReg
File Splitter and Joiner (FFSJ v3.3)
foobar2000 v1.3.8
Foxit Phantom
Intel(R) Control Center
Intel(R) Driver Update Utility 2.0
Intel(R) Graphics Media Accelerator Driver
Intel(R) TV Wizard
Intel® Driver Update Utility
Internet Download Manager
iolo technologies' System Mechanic Professional
Java 8 Update 45
Java Auto Updater
K-Lite Mega Codec Pack 11.0.5
Kaspersky Internet Security
KH Ultra Trainer
Logitech SetPoint 6.65
Malwarebytes Anti-Malware version 2.1.8.1057
MediaInfo 0.7.77
Microsoft .NET Framework 4.5
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Minecraft1.8.7
Mozilla Firefox 40.0.3 (x86 vi)
Mozilla Maintenance Service
Notepad++
OpenAL
Opera Stable 32.0.1948.25
PhotoScape
PowerISO
Revo Uninstaller Pro 3.1.2
Skype™ 7.5
Speccy
Spek
System Mechanic 14 Professional
Ultra Video Converter 5.2.0408
Ultra Video Splitter 6.3.0506
UsbFix
WinPcap 4.1.2
WinRAR 4.11 (32-bit)
Witches Legacy - The Dark Throne Collectors Edition
Zamby and the Mystical Crystals
.
==== Event Viewer Messages From Past Week ========
.
9/22/2015 12:58:03 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error: An instance of the service is already running.
9/22/2015 12:57:33 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
9/22/2015 12:57:32 PM, Error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/22/2015 1:18:56 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Software Protection service, but this action failed with the following error: An instance of the service is already running.
9/22/2015 1:16:56 PM, Error: Service Control Manager [7034] - The Office Software Protection Platform service terminated unexpectedly. It has done this 1 time(s).
9/22/2015 1:16:56 PM, Error: Service Control Manager [7031] - The Software Protection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
9/22/2015 1:16:54 PM, Error: Service Control Manager [7034] - The PnkBstrB service terminated unexpectedly. It has done this 1 time(s).
9/22/2015 1:16:54 PM, Error: Service Control Manager [7034] - The PnkBstrA service terminated unexpectedly. It has done this 1 time(s).
9/22/2015 1:16:54 PM, Error: Service Control Manager [7034] - The iolo System Service service terminated unexpectedly. It has done this 1 time(s).
9/22/2015 1:16:53 PM, Error: Service Control Manager [7031] - The cFosSpeed System Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
9/22/2015 1:16:52 PM, Error: Service Control Manager [7034] - The Arp Intelligent Protection Service service terminated unexpectedly. It has done this 1 time(s).
9/22/2015 1:13:57 PM, Error: Microsoft-Windows-WLAN-AutoConfig [10003] - WLAN Extensibility Module has stopped unexpectedly. Module Path: C:\Windows\System32\bcmihvsrv.dll
9/22/2015 1:05:54 PM, Error: Service Control Manager [7031] - The Diskeeper service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/21/2015 1:39:01 AM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
9/21/2015 1:07:56 AM, Error: Service Control Manager [7000] - The Diskeeper service failed to start due to the following error: The pipe has been ended.
9/21/2015 1:07:50 AM, Error: Service Control Manager [7038] - The Spooler service was unable to log on as NT AUTHORITY\SYSTEM with the currently configured password due to the following error: The request is not supported. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
9/21/2015 1:07:50 AM, Error: Service Control Manager [7000] - The Print Spooler service failed to start due to the following error: The service did not start due to a logon failure.
9/21/2015 1:06:51 AM, Error: Service Control Manager [7034] - The MBAMService service terminated unexpectedly. It has done this 1 time(s).
9/21/2015 1:06:51 AM, Error: Service Control Manager [7034] - The MBAMScheduler service terminated unexpectedly. It has done this 1 time(s).
9/18/2015 5:50:13 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the AVP16.0.0 service.
9/18/2015 12:57:28 PM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {078AEF33-C48A-49F7-AFF3-A0EE810BFE7C}. The error: "5" Happened while starting this command: C:\Windows\system32\igfxsrvc.exe -Embedding
9/18/2015 12:56:52 PM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}. The error: "5" Happened while starting this command: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
9/17/2015 11:44:01 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cFosSpeed
9/16/2015 9:29:48 PM, Error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address 192.168.1.29. The computer with the IP address 192.168.1.19 did not allow the name to be claimed by this computer.
9/15/2015 2:17:31 PM, Error: Service Control Manager [7030] - The State Tool for Video Saver service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
9/15/2015 2:17:31 PM, Error: Service Control Manager [7030] - The Recovery Tool for Video Saver 2 service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
9/15/2015 2:17:30 PM, Error: Service Control Manager [7030] - The VideoSaverSvc service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
.
==== End Of File ===========================
Last edited by Cypher on September 22nd, 2015, 6:08 am, edited 1 time in total.
Reason: Disabled link
nguyenphilan555
Active Member
 
Posts: 1
Joined: September 22nd, 2015, 2:25 am
Advertisement
Register to Remove

Re: I got infected with mail.ru

Unread postby pgmigg » September 23rd, 2015, 10:47 pm

Hello nguyenphilan555,

Welcome to the forum! :)

I am pgmigg and I'll be helping you with any malware problems.

Before we begin, please read and follow these important guidelines, so things will proceed smoothly.
  1. The instructions being given are for YOUR computer and system only!
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
  2. You must have Administrator rights, permissions for this computer.
  3. DO NOT run any other fix or removal tools unless instructed to do so!
  4. DO NOT install any other software (or hardware) during the cleaning process until we are done as well as
    DO NOT Remove, or Scan with anything on your system unless I ask. This adds more items to be researched.
    Extra Additions and Removals of files make the analysis more difficult.
  5. Only post your problem at (1) one help site. Applying fixes from multiple help sites can cause problems.
  6. Print each set of instructions if possible - your Internet connection will not be available during some fix processes.
  7. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  8. Only reply to this thread, do not start another one. Please, continue responding, until I give you the "All Clean!" :cheers:
    Absence of symptoms does not mean that everything is clear.

I am currently reviewing your logs and will return, as soon as possible, with additional instructions. In the meantime...

Note: If you haven't done so already, please read this topic ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.

Please read all instructions carefully before executing and perform the steps, in the order given.
lf you have any questions or problems executing these instructions, <<STOP>> do not proceed, post back with the question or problem.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start


Failure to post replies within 72 hours will result in this thread being closed
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 5457
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: I got infected with mail.ru

Unread postby pgmigg » September 23rd, 2015, 11:16 pm

Hello nguyenphilan555,

P2P Advisory!
IMPORTANT: There are signs of one or more P2P (Peer to Peer) File Sharing Programs installed on your computer.
µTorrent

As long as you have the P2P program(s) installed, per Forum Policy, I can offer you no further assistance.
If you choose NOT to remove the program(s), please indicate that in your next reply and this topic will be closed.

Otherwise, please perform the following steps:

Step 1.
Remove P2P Program
  1. Click on Start, then click the Start Search box on the Start Menu.
  2. Copy and paste the value below without into the open text entry box:
    (Do not include the words Code: Select all - instead of it please click the Select all button next to Code: to select the entire script.)
    Code: Select all
     appwiz.cpl 
    and press Enter - the Unistall or change a program list will be opened.
  3. Click each Entry, as follows, one by one, if it exists, choose Uninstall, and give permission to Continue:
    µTorrent
  4. Click on the Change/Remove button to uninstall it.
  5. When the program have been uninstalled, please close Control Panel
  6. Reboot (restart) your computer.
By using any form of P2P networking to download files you can anticipate infestations of malware to occur. The P2P program itself may be safe but the files may not - use P2P at your own risk!
Keep in mind that this practice may be the source of your current malware infestation.
Reference... siting risk factors, using P2P programs: How to Prevent the Online Invasion of Spyware and Adware

Step 2.
Run CKScanner
  1. Please download CKScanner from here
  2. Important: - Save it to your Desktop.
  3. Double-click CKScanner.exe and click Search For Files.
  4. After a very short time, when the cursor hourglass disappears, click Save List To File.
  5. A message box will verify the file saved.
  6. Double-click the CKFiles.txt icon on your Desktop and copy/paste the contents in your next reply.

Step 3.
MGA Diagnostics
I need you to run a tool which will aid in determining what additional steps we'll need to perform.
  1. Please download this tool from Microsoft and save it to your Desktop.
  2. Right click on MGADiag.exe and select "Run As Administrator..." to run it.
  3. Click "Run" again and then click "Continue".
  4. The program will run. It takes a while to finish the diagnosis, please be patient.
  5. Once done, click on Copy.
  6. Open Notepad and paste the contents in. Save this file and post it in your next reply.

Step 4.
TSG - SysInfo utility
  1. Please download SysInfo utility and save it to your Desktop.
  2. Right click on SysInfo.exe, select "Run As Administrator..." to run it... if UAC prompts, please allow it.
  3. Right click, select copy and then paste in your next post.

Then:
Please tell me is this computer used for business purposes and connected to a business or educational network?
I need to know it - so I can provide the proper instructions.

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections....

Please include in your next reply:
  1. Do you have any problems executing the instructions?
  2. Your decision about P2P programs
  3. Contents of CKFiles.txt log file
  4. Contents of a log created by MGADiag.exe
  5. Contents of SysInfo scan
  6. Answer to my question related to type of using of your computer

Thanks,
pgmigg

Failure to post replies within 72 hours will result in this thread being closed
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 5457
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: I got infected with mail.ru

Unread postby Gary R » September 28th, 2015, 1:42 am

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 127 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware