You could also run this SF-Diagnostic-Tool and upload the zip file here. Be sure to run as administrator and click on the Grab All button. Allow at least five minutes for the tool to assemble all the files. There's no personal info in the files except the pc/user-name (if that's personal).
Under "Error", there are 3 "SideBySide" categories:
Event ID: 33
Activation context generation failed for "c:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\WksWP.exe". Dependent Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0" could not be found. Please use sxstrace.exe for detailed diagnosis.
"C:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\wksss.exe"
"c:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\wksdb.exe".
"c:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\WksCal.exe".
These 4 ".exe" files are repeated throughout.
.........................
Event ID: 35
Activation context generation failed for "C:\Program Files (x86)\Windows Live\Photo Gallery\MovieMaker.Exe".Error in manifest or policy file "C:\Program Files (x86)\Windows Live\Photo Gallery\WLMFDS.DLL" on line 8. Component identity found in manifest does not match the identity of the component requested. Reference is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1". Definition is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1". Please use sxstrace.exe for detailed diagnosis.
I haven't ever used MovieMaker.
....................
Event ID: 59
Just 4 entries.
Activation context generation failed for "C:\PROGRAMS\CCleaner 5.03.5128\ccsetup503.exe".Error in manifest or policy file "C:\PROGRAMS\CCleaner 5.03.5128\ccsetup503.exe" on line 0. Invalid Xml syntax.
This is the version I had installed prior to attempting to upgrade.
.................
I can't use the SF-Diagnostic-Tool, as I get the same error:
The first group (Event ID 33) is a Microsoft Works problems. These look like they're missing MSADCTL.DLL or your version is too old. I think you need version 8 or above for Windows 7. Check your version!
The second group (Event ID 35) is caused by a bad WLMFDS.DLL. This looks like a wrong version too.
The problem with CCleaner setup appears to be a corrupt file. It could be that anything you download may be getting infected.
After looking at these, there's a strong possibility that you have malware. Download Emsisoft Emergency Kit, free version, and run the EEK scan. You'll need to let it update the signatures first so this will take a while. It is a standalone portable program so there is no install. It can be run from a thumb drive too. It might be a good idea to use a different PC to download it and TDSSKiller below.
Also download and run TDSSKiller. This is a root-kit virus checker. I think this one installs so run the EEK scan first.
Microsoft Works is v.9. I can't find any mention of a later version. I haven't ever used the program.
Windows Live Movie Maker is v.14.0.8091.0731 - but Microsoft states the latest is v.12!
Incidentally, when I opened the prog, it crashed after a few mins:
Emsisoft Emergency Kit:
EEK a2scan_150409-161408.txt
I haven't deleted or quarantined anything.
TDSSKiller didn't find anything:
TDSSKiller Scan Log 2015-04-09.txt
Do I need to adjust anything?
Yes, check all those boxes. Some valid unsigned drivers may show up but it's better to verify the digital signatures and check kick-outs individually than to let all of them just pass. "Most" (used loosely) malware isn't signed. You can chose what to do with them.
I would at least quarantine the objects found by EEK. These too can be restored or deleted later. Some of those are potentially dangerous. Perhaps not in themselves but what they can allow. Especially Conduit (browser hijacker) and Freeze (download server). There's also a number of ad-servers on the list. Check to see if any show up on your installed programs list. If they do, I suggest they be uninstalled. NEVER download applications or drivers from any service but the OEM or the OEM's alternate server. And ALWAYS choose a "custom install" so you can see what's being added to the install. Many will include additional PUPs.
There's one more I'd like you to run. No single scanner will catch all malware. Download and install the free version of Malwarebytes Antimalware (MBAM). You can get the download HERE then follow this TUTORIAL. Pay particular attention to the last install option screen and uncheck the trial option. Be sure to run MBAM as administrator after installed.
I've re-run EEK and quarantined everything - the prog says only 16 of the 17 have been quarantined, though. I haven't identified the missing one.
If I can identify any as installed progs, what should I use to uninstall them, if they don't appear under Windows' Add and Remove or in Revo Uninstaller?
MBAM log:
Malwarebytes Anti-Malware
Malwarebytes | Free Anti-Malware & Internet Security Software
Scan Date: 09/04/2015
Scan Time: 23:22:55
Logfile:
Administrator: Yes
Version: 2.01.4.1018
Malware Database: v2015.04.09.07
Rootkit Database: v2015.03.31.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Dad
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 399082
Time Elapsed: 36 min, 54 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 0
(No malicious items detected)
Registry Values: 3
PUP.Optional.Conduit.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{afdbddaa-5d3f-42ee-b79c-185a7020515b}|URL, http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT1060933&SSPV=IESB01, Quarantined, [17743139d9b1f73f343637856c97db25]
PUP.Optional.Conduit.A, HKU\S-1-5-21-1050699504-4118538850-2090742069-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{afdbddaa-5d3f-42ee-b79c-185a7020515b}|URL, http://search.conduit.com/Results.aspx?gd=&ctid=CT3315513&octid=EB_ORIGINAL_CTID&ISID=M08AB69D0-373D-4C18-956B-1138BD153C79&SearchSource=58&CUI=&UM=5&UP=SPF72EF9AF-729C-4225-8D57-299642F05D15&q={searchTerms}&SSPV=, Quarantined, [c6c525452a600d2994d73c8044bf6997]
PUP.Optional.Conduit.A, HKU\S-1-5-21-1050699504-4118538850-2090742069-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{afdbddaa-5d3f-42ee-b79c-185a7020515b}|SuggestionsURL_JSON, http://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms}, Quarantined, [acdff1797317d165da9177459a693fc1]
Registry Data: 0
(No malicious items detected)
Folders: 0
(No malicious items detected)
Files: 0
(No malicious items detected)
Physical Sectors: 0
(No malicious items detected)
(end)
Be sure to reboot after the scans.
If they don't show up in Programs, they could be inserted as a browser add-on. Depending on which browser(s) you use, you can look in Tools for something like Manage Add-ons. Do this for all browsers installed on the system (Chrome, IE, Firefox, etc.) Use Disable or Delete depending on which Type of add-on is selected (Tool Bars, Accelerators, Search Providers, etc.).
Also: What antivirus system are you using? Make sure it's up to date and run a full scan.
Follow this Clean Start tutorial to see if any questionable entries are shown. Don't change anything yet--Skip item 3 and click on the Services tab. You can hide the Microsoft Services. We just want to see what's there for the time being. Post an image if you don't recognize entries.
After checking the browsers, and removing any questionable entries, close the browser and reboot. Re-run MBAM and see if the Registry entries for Conduit return. If it does, start saving your data files. I'm afraid a clean install of Windows may be in your future.
Thanks for your patience.
With the same things showing up in the scans, I thought I'd post all the results in one post, mainly so I can keep on top of everything.
........................
Emsisoft Emergency Kit v. 9.0.0.4700
(C) 2003-2014 Emsisoft - Emsisoft Anti-Malware: Your ultimate weapon against all Internet threats
ID Object
0 C:\Windows\couponprinter.ocx detected: Application.AdCoup (A)
1 Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\W3I detected: Application.InstallAd (A)
2 Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS detected: Setting.NoFolderOptions (A)
3 Key: HKEY_USERS\S-1-5-21-1050699504-4118538850-2090742069-1001\SOFTWARE\ANYPROTECT detected: Application.AdProtect (A)
4 C:\Program Files (x86)\AnyProtectEx detected: Application.AdProtect (A)
5 Key: HKEY_USERS\S-1-5-21-1050699504-4118538850-2090742069-1001\SOFTWARE\CONDUIT detected: Application.InstallAd (A)
6 C:\Users\Dad\AppData\Local\Conduit detected: Application.AppInstall (A)
7 Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR detected: Setting.DisableTaskMgr (A)
8 Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN detected: Setting.NoRun (A)
9 Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)
10 Key: HKEY_USERS\S-1-5-21-1050699504-4118538850-2090742069-1001\SOFTWARE\SOFTONIC detected: Application.InstallAd (A)
11 C:\Users\Dad\AppData\Roaming\coupons detected: Application.AppInstall (A)
12 Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1392B8D2-5C05-419F-A8F6-B9F15A596612} detected: Application.BHO (A)
13 C:\ProgramData\partner detected: Application.AppInstall (A)
14 Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\FREEZE.COM detected: Application.InstallAd (A)
15 Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\CONDUIT detected: Application.InstallAd (A)
Deleted all of these.
..............................
MBAM
Registry Values: 3
PUP.Optional.Conduit.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{afdbddaa-5d3f-42ee-b79c-185a7020515b}|URL, http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT1060933&SSPV=IESB01, Quarantined, [17743139d9b1f73f343637856c97db25]
PUP.Optional.Conduit.A, HKU\S-1-5-21-1050699504-4118538850-2090742069-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{afdbddaa-5d3f-42ee-b79c-185a7020515b}|URL, http://search.conduit.com/Results.aspx?gd=&ctid=CT3315513&octid=EB_ORIGINAL_CTID&ISID=M08AB69D0-373D-4C18-956B-1138BD153C79&SearchSource=58&CUI=&UM=5&UP=SPF72EF9AF-729C-4225-8D57-299642F05D15&q={searchTerms}&SSPV=, Quarantined, [c6c525452a600d2994d73c8044bf6997]
PUP.Optional.Conduit.A, HKU\S-1-5-21-1050699504-4118538850-2090742069-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{afdbddaa-5d3f-42ee-b79c-185a7020515b}|SuggestionsURL_JSON, http://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms}, Quarantined, [acdff1797317d165da9177459a693fc1]
Deleted all of these.
.............................
No suspicious extensions or add-ons in Chrome or IE11.
.............................
I have Avast Free Anti-virus 2015, so I ran the Smart Scan and then a Boot Scan (as I was prompted to do). The boot scan took hours.
I quarantined everything to the "Virus Chest" and then deleted it all, after the laptop had re-booted to the full Windows environment. I thought I'd already removed some of this stuff with EEK, especially AnyProtect.
Should I do another boot scan, to confirm they've gone?
.............................
Clean Start-up
I don't immediately recognise everything, but nothing nasty springs out at me.
I only went as far as listing the non-Microsoft processes - I didn't disable them and re-boot, as the tutorial instructs.
.............................
Re-ran MBAM and it's clean.
I haven't yet tried to re-install CCleaner ccsetup504.exe, in case you want me to do the full clean boot or if the CCleaner exe still needs to be checked.
I think I know where all of the above have come from, though. About a year ago I upgraded the previously safe PicPick screen-capture tool to v.3.3.2, which turned-out to be bundled with aggresive PUPs. Some installed no matter what I ticked and unticked, and all-but disabled Revo Uninstaller, together with a few other things. As everything eventually returned to normal, bar Revo, I ignored it. Daft, really.
I had to look up a few of the Services I didn't recognize. Some "I" wouldn't use but that's owner choice. Go back to that Clean Start-up and click on the Start UP tab for a quick look.
I would feel better if you did another boot scan and it came out clean.
I would download a new copy of CCleaner before attempting to install it. Get it from HERE only.
Quote
