Getting Bogus Emails Daily

Every time I go online it doesn't take long for me to get sexually explicit email solicitations.

I also keep getting repetitive requests from Microsoft Security Essentials for me to allow investigation of the same 4 files on my computer. I have allowed them to investigate these 4 files, but I keep getting the requests.

Finally, I don't know for sure, but it seems that my CPU fan is running faster than it has been in the past. That seems to tell me that the CPU is working harder than before. Task manager shows more running processes than I have seen before, and CPU usage running a constant (approximately) 10%.

Please advise.

Thank you.

 

Before I do anything, A couple questions about the instructions:

1. I have VMWare Player installed so I can run vitrual XP. I also have PLEX media server installed. These were both EXTREMELY difficult for me to set up. Can I simply disable both of them or shut them off in TaskMgr if needed?

2. I have MSE as my only firewall/antivirus. I also heve Spyware Blaster installed (which only runs if I turn it on) and Malware bytes (which only runs if I turn it on). Is this OK?

3. I have 64 bit Windows 7. FYI

4. I ALWAYS run my computer with file extensions shown and hidden files/folders shown at all times. I am the only one who uses it.

 

RogueKiller V10.8.4.0 (x64) [Jun 15 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Joe Ciaravino [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Scan -- Date : 06/19/2015 18:13:23

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 15 ¤¤¤
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | BrowserSafeguard : "C:\Program Files (x86)\Browsersafeguard\BrowserSafeguard.exe" [x] -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 167.206.245.135 167.206.245.136 [UNITED STATES (US)][UNITED STATES (US)] -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 167.206.245.135 167.206.245.136 [UNITED STATES (US)][UNITED STATES (US)] -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 167.206.245.135 167.206.245.136 [UNITED STATES (US)][UNITED STATES (US)] -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters | DhcpNameServer : 167.206.245.135 167.206.245.136 [UNITED STATES (US)][UNITED STATES (US)] -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7FD350ED-A4B7-481B-8EB4-15749E21A757} | DhcpNameServer : 167.206.245.135 167.206.245.136 [UNITED STATES (US)][UNITED STATES (US)] -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7FD350ED-A4B7-481B-8EB4-15749E21A757} | DhcpNameServer : 167.206.245.135 167.206.245.136 [UNITED STATES (US)][UNITED STATES (US)] -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7FD350ED-A4B7-481B-8EB4-15749E21A757} | DhcpNameServer : 167.206.245.135 167.206.245.136 [UNITED STATES (US)][UNITED STATES (US)] -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{7FD350ED-A4B7-481B-8EB4-15749E21A757} | DhcpNameServer : 167.206.245.135 167.206.245.136 [UNITED STATES (US)][UNITED STATES (US)] -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2896351573-1439903457-3680831720-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowVideos : 0 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2896351573-1439903457-3680831720-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2896351573-1439903457-3680831720-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowVideos : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2896351573-1439903457-3680831720-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SanDisk SD6SB1M256G1022I SATA Disk Device +++++
--- User ---
[MBR] 7a22bac6ca1517059c190a0bc87665c0
[BSP] 1cf87e10792a88b63ec14b5ce1240692 : Linux|VT.Unknown MBR Code
Partition table:
0 - EFI system partition | Offset (sectors): 2048 | Size: 100 MB
1 - Microsoft reserved partition | Offset (sectors): 206848 | Size: 128 MB
2 - Basic data partition | Offset (sectors): 468992 | Size: 215355 MB
3 - | Offset (sectors): 441520128 | Size: 477 MB
4 - | Offset (sectors): 442497024 | Size: 9537 MB
5 - | Offset (sectors): 462028800 | Size: 18598 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: ST1000DM 003-1CH162 SATA Disk Device +++++
--- User ---
[MBR] 72bf5b5fd09eee1a8aaedecff4bbe8e6
[BSP] a7c5c8dfee893117247a1a7abd9c9822 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 953868 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: Generic- SD/MMC USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: Generic- Compact Flash USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: Generic- SM/xD-Picture USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive5: Generic- MS/MS-Pro USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

 

I think so. It's SeaMonkey.
SeaMonkey comes after my ISP which is Optimum Online. Assume that I have filters with it, but not sure.

The Malware Bytes scan showed nothing.

 

TDSSKiller................no threats found

 

HitmanPro might have found it.
See attached.

 

Fixed, rebooted and re-ran Hitman.
Here's the new log, attached.

 

Too soon to tell. I'll let you know if I still get the emails. CPU "seems" to have calmed down a bit, but hard for me to tell.
Can I send a log of running processes, services, etc like before and you can advise as to which ones to eliminate?
You guys still doing Hijack This?

 

OK
I'll do that after we're sure that all malware is removed.
Can we continue HT in this thread or must I start another?

 

I just got another bogus email.

 

Every time I get one of those, and have gotten about 14 over the last 2 weeks, I setup a "filter" for the email address, delete from the POP server, and delete from my inbox. Every one of them uses a different sender's address, so every one requires the above actions.
Is there any way that I can stop these annoying emails? Cleaning the computer of malware doesn't seem to have fixed that particular problem.

 

OK. So time to move on.
I'll finish following the Win 7 malware removal instructions and then we'll create a HT log. OK?

 

See attached MGLogs.zip file.

 

Thank you.
I saw that HijackThis was included in the MGtools.exe logs? If so, I assume that you checked it. Right? So there's no need for me to run HijackThis seperately. Right?
So you're saying that I'm good to go?
What should I do next?
Once completed, I'll play with StartupCPL.
You people are awesome!

 

I have just gotten another of the MSE requests for the same 4 files for their examination.
There is still something very definitely wrong here!!!!

 

Which log do you need?

 

C:\windows\sysWOW64\EuGdiDrv.sys
C:\windows\system32\EuGdiDrv.sys
C:\windows\sysWOW64\epmntdrv.sys
C:\windows\system32\epmntdrv.sys

If I go to history in MSE, there is no record of these files having been offenders.

 

I completed all steps of the instructions, and lastly toggled ststem restore.

I have a lot of folders on the C drive that are locked and I can no longer access them. Please help me fix this.


I want to end this and return to a semblance of "normal" although I see that this computer will never be the same again.

Thank you for your help so far.

PS: I will have to live with the unwanted emails and the persistent popup from MSE looking to report suspect files.

 

Logfile