New
#11
I checked the file with my ESET Smart Security 8 and SuperAntiSpyware Pro. I also checked the properties and it appears to be digitally signed by Microsoft.
I'm not familiar with Virus Total. Is it on my system?
Other than that the file appears to be good.
The main issues I'm experiencing at the moment are that when I click on any folder or the start menu button, the system is very sluggish to respond and extremely slow when navigating between different folders. Also, when I do a shutdown, I see a webpage that the system is or has tried to connect to. It appears to be an adware type virus from hell. Also, my ESET Smart Security 8 is giving me lots of alerts about blocking the address in the picture below. So, what ever is on this system still has a remnant that wants to connect to that address.
I've started a re-indexing for Windows Explorer and I did a SFC /SCANNOW. There were no issues with the SFC.
This was definitely a virus attack.
I'm downloading UVK now.
The UVK log file is over 2MB.
UVK - Ultra Virus Killer Log.txt
You can download the UVK log file from the file drop site on the link above.
Let me know if you see something.
Regards
Last edited by tjg79; 07 Oct 2015 at 23:22.
14 posts and NO MGADiag??
SHAME ON YOU!
ESET has been known to flag the WAT tools in the past - it's a false positive, but semi-legitimate, since the tool will phone home every so often to pick up the latest definitions.
Please follow this tutorial and post an MGADiag report - then we can see what the problem is.
Windows Genuine and Activation Issue Posting Instructions
Ignore errors produced when clicking on the Copy button - they simply mean that the tool could not create the backup files for some reason. The data is still copied to the clipboard for pasting to your response.
Please also state the Version and Edition of Windows quoted on your COA sticker (if you have one) on the case of your machine (or inside the battery compartment), but do NOT quote the Key on the sticker!
https://www.microsoft.com/en-gb/howt...spx#PCPurchase
It's a virus, but I'm not sure it's been completely removed, because the system doesn't behave as if the virus is completely removed. I downloaded and ran the Microsoft Safety Scanner for my Win 7 Pro x64 system. The MS Safety Scanner detected a Trojan Dynamater virus. I'm not sure about the spelling. The symptoms were constant downloading of temp files, very sluggish system when attempting to navigate between different folders in Windows Explorer. Windows Task Manger indicated significantly higher than normal system resource utilization, cpu and memory. Presently, I'm running ESET Smart Security 8 Smart Scan. It doesn't appear to be detecting anything yet and it's been running for an hour and twenty minutes. I don't know how long it will take to complete the ESET virus scan. I'm not sure if the virus software can scan the boot sectors. I will check the scan logs when the scan completes. This is a virus issue.
From the Certificate of Authenticity Sticker:
Windows 7 Pro OEM Software
FQC-04849 (the 8 could be a 6, the print is illegible)
X16-93649
00180-451-841-077
The ESET Smart Security 8 Smart Scan completed, but the scan logs indicate that it had errors when attempting to open the boot sectors of C:\, D:\, E:\, & O:\. Therefore, I don't think ESET SS 8 successfully scanned the boot sectors and I suspect this virus is hiding in the boot sectors and will reload when I reboot.
Code:Diagnostic Report (1.9.0027.0): ----------------------------------------- Windows Validation Data--> Validation Code: 0 Cached Online Validation Code: 0x0 Windows Product Key: *****-*****-9CBQQ-CBRDX-4VBW4 Windows Product Key Hash: 4o79yMzf+5/lHKmwIiotxng2nPc= Windows Product ID: 00371-OEM-9045181-41077 Windows Product ID Type: 3 Windows License Type: OEM System Builder Windows OS version: 6.1.7601.2.00010100.1.0.048 ID: {88569B0E-21CB-4760-A2CC-9595DA52037D}(3) Is Admin: Yes TestCab: 0x0 LegitcheckControl ActiveX: Registered, 1.9.42.0 Signed By: Microsoft Product Name: Windows 7 Professional Architecture: 0x00000009 Build lab: 7601.win7sp1_gdr.150722-0600 TTS Error: Validation Diagnostic: Resolution Status: N/A Vista WgaER Data--> ThreatID(s): N/A, hr = 0x80070002 Version: N/A, hr = 0x80070002 Windows XP Notifications Data--> Cached Result: N/A, hr = 0x80070002 File Exists: No Version: N/A, hr = 0x80070002 WgaTray.exe Signed By: N/A, hr = 0x80070002 WgaLogon.dll Signed By: N/A, hr = 0x80070002 OGA Notifications Data--> Cached Result: N/A, hr = 0x80070002 Version: N/A, hr = 0x80070002 OGAExec.exe Signed By: N/A, hr = 0x80070002 OGAAddin.dll Signed By: N/A, hr = 0x80070002 OGA Data--> Office Status: 100 Genuine Microsoft Office Professional 2007 - 100 Genuine OGA Version: N/A, 0x80070002 Signed By: N/A, hr = 0x80070002 Office Diagnostics: 77F760FE-153-80070002_7E90FEE8-175-80070002_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-b01a_E2AD56EA-766-0_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005 Browser Data--> Proxy settings: N/A User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32) Default Browser: C:\Program Files\Internet Explorer\iexplore.exe Download signed ActiveX controls: Prompt Download unsigned ActiveX controls: Disabled Run ActiveX controls and plug-ins: Allowed Initialize and script ActiveX controls not marked as safe: Disabled Allow scripting of Internet Explorer Webbrowser control: Disabled Active scripting: Allowed Script ActiveX controls marked as safe for scripting: Allowed File Scan Data--> Other data--> Office Details: <GenuineResults><MachineData><UGUID>{88569B0E-21CB-4760-A2CC-9595DA52037D}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-4VBW4</PKey><PID>00371-OEM-9045181-41077</PID><PIDType>3</PIDType><SID>S-1-5-21-764048772-141219837-185285450</SID><SYSTEM><Manufacturer>INTEL_</Manufacturer><Model>DX58SO__</Model></SYSTEM><BIOS><Manufacturer>Intel Corp.</Manufacturer><Version>SOX5810J.86A.5600.2013.0729.2250</Version><SMBIOSVersion major="2" minor="5"/><Date>20130729000000.000000+000</Date></BIOS><HWID>92BD3107018400F4</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120000-0014-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional 2007</Name><Ver>12</Ver><Val>1B16FCA35E8C714</Val><Hash>Ox0izo7MjcnLKUdV4ul5G/4OhBY=</Hash><Pid>81605-906-5273533-65430</Pid><PidType>1</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/></Applications></Office></Software></GenuineResults> Spsys.log Content: 0x80070002 Licensing Data--> Software licensing service version: 6.1.7601.17514 Name: Windows(R) 7, Professional edition Description: Windows Operating System - Windows(R) 7, OEM_COA_NSLP channel Activation ID: e120e868-3df2-464a-95a0-b52fa5ada4bf Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f Extended PID: 00371-00180-451-841077-02-1033-7601.0000-0732015 Installation ID: 012201651040681403614155510252839633960930028731337932 Processor Certificate URL: SpcService Web Service Machine Certificate URL: RacService Web Service Use License URL: UseLicenseService Web Service Product Key Certificate URL: PkcService Web Service Partial Product Key: 4VBW4 License Status: Licensed Remaining Windows rearm count: 3 Trusted time: 08-Oct-15 09:26:18 Windows Activation Technologies--> HrOffline: 0x00000000 HrOnline: 0x00000000 HealthStatus: 0x0000000000000000 Event Time Stamp: 9:11:2015 06:15 ActiveX: Registered, Version: 7.1.7600.16395 Admin Service: Registered, Version: 7.1.7600.16395 HealthStatus Bitmask Output: HWID Data--> HWID Hash Current: MgAAAAMAAAABAAEAAQADAAAAAQABAAEACrYw0kNG2mNsQ1D3xOAOLEaUnJ+9IKaegig= OEM Activation 1.0 Data--> N/A OEM Activation 2.0 Data--> BIOS valid for OA 2.0: yes, but no SLIC table Windows marker version: N/A OEMID and OEMTableID Consistent: N/A BIOS Information: ACPI Table Name OEMID Value OEMTableID Value APIC INTEL DX58SO FACP INTEL DX58SO HPET INTEL DX58SO MCFG INTEL DX58SO WDDT INTEL DX58SO ASF! INTEL DX58SO SSDT INTEL SSDT PM DMAR INTEL DX58SO WDTT INTEL DX58SO ASPT INTEL PerfTune
Last edited by tjg79; 08 Oct 2015 at 08:28.
Posting the MGADiag log as Noel has requested after your security scan will let Noel see if your infection has effected your MGADiag.
Please complete the instruction Noel has given.
Do you need any additional information?
I looked at your log. Can you confirm what is in this folder?
C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}