Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivir guard turned off/ Running in safe mode only


  • This topic is locked This topic is locked
6 replies to this topic

#1 Grogan

Grogan

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 01 December 2012 - 06:23 PM

Hello !

Today I decided to install zone alarm firewall because I wasn't using any firewall & antivirus (I usually do an online scan once a month or so).
He made a detection while running the first scan after install and couldn't erase the infected file he found. Then all appz just shut down & the computer restarted so
I restarted directelly in safe mode. I tried to launch MalwareBytes but it didn't detect anything. Then tried Avira. During the install some
messages poped, ikept ignoring them & could launch avira. The problem is that I can't make a scan because it says the licence expired yesterday.


So I found this thread on avira's forum. I runned TDSSkiller & deleted 4 processes. Then I runned OTL as shown on the other thread. The next step
was to run antizeroaccess but it doesn't run on 64 bits Os.

I didn't want to run combo fix because 1-I may not have the same problem 2- Looks dangerous when you don't know how to use it.

I'm still in safe mode right now because I tried once to reboot in normal windows mode but a console started, I got scared & rebooted.


Here are the dds.txt & the attach.txt
Thanks in advance for your help !




DDS (Ver_2012-11-20.01) - NTFS_AMD64 NETWORK
Internet Explorer: BrowserJavaVersion: 10.7.2
Run by Tank at 23:37:33 on 2012-12-01
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.33.1033.18.2047.1507 [GMT 1:00]
.
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.babylon.com/home?AF=100581
uURLSearchHooks: {05eeb91a-aef7-4f8a-978f-fb83e7b03f8e} - <orphaned>
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {26f1620a-4776-16e5-8c8a-418bc231ac9d} - <orphaned>
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: ZoneAlarm Security Engine Registrar: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: {E6BD0EDA-462C-A9F8-D970-D1DE5CAB920D} - <orphaned>
TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
uRun: [ccleaner] "C:\Program Files\CCleaner\CCleaner64.exe" /AUTO
uRun: [RocketDock] "C:\Program Files (x86)\RocketDock\RocketDock.exe"
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
uRunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11f_Plugin.exe -update plugin
mRun: [DigidesignMMERefresh] C:\Program Files (x86)\Digidesign\Drivers\MMERefresh.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
mRun: [M-Audio Taskbar Icon] C:\Windows\System32\DeltaIITray.exe
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [ZoneAlarm Installer] "C:\Program Files (x86)\CheckPoint\Install\Launcher.exe" "C:\Program Files (x86)\CheckPoint\Install\Install.exe" /r /c "C:\Program Files (x86)\CheckPoint\Install\Install.xml"
mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
mRunOnce: [C9260CE1-E7CD-449F-8BC3-B7148817684D] cmd.exe /C start /D "C:\Users\Tank\AppData\Local\Temp" /B C9260CE1-E7CD-449F-8BC3-B7148817684D.exe -postboot
mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript
mRunOnce: [D19E9578-C363-4A3F-BDD4-B9353E1D976A] cmd.exe /C start /D "C:\Users\Tank\AppData\Local\Temp" /B D19E9578-C363-4A3F-BDD4-B9353E1D976A.exe -activeimages -postboot
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\RAINME~1.LNK - C:\Program Files\Rainmeter\Rainmeter.exe
uPolicies-Explorer: HideSCABattery = dword:1
uPolicies-Explorer: HideSCANetwork = dword:1
uPolicies-Explorer: HideSCAVolume = dword:1
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-Explorer: HideSCAHealth = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{B5978B52-EB3B-4396-ADDF-B2E9404104B0} : DHCPNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: ZoneAlarm Security Engine Registrar: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
x64-Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
x64-RunOnce: [GrpConv] grpconv -o
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: WB - C:\PROGRA~2\Stardock\OBJECT~1\WINDOW~1\fast64.dll
x64-SSODL: WebCheck - <orphaned>
Hosts: 67.221.174.30 tagged.com
Hosts: 204.9.178.11 typepad.com
Hosts: 74.113.152.32 istockphoto.com
Hosts: 208.94.0.38 yfrog.com
Hosts: 63.309.5.102 virustotal.com
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Tank\AppData\Roaming\Mozilla\Firefox\Profiles\jxg6xzic.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://duckduckgo.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 49758
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2011-4-13 254528]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe [2012-11-19 2462128]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;C:\Windows\System32\drivers\l160x64.sys [2009-6-25 58368]
R3 athur;Wireless Network Adapter Service;C:\Windows\System32\drivers\athurx.sys [2011-10-30 1847296]
S2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-7-28 239616]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2012-12-1 136360]
S2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2012-12-1 269480]
S2 ASTSRV;Nalpeiron Licensing Service;C:\Windows\System32\ASTSRV.EXE --> C:\Windows\System32\ASTSRV.EXE [?]
S2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2012-12-1 88288]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys [2012-11-2 33712]
S2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe [2012-11-2 827560]
S2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-1 399432]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-1 676936]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2012-5-14 96896]
S3 DELTAII;Service for M-Audio Delta Driver (WDM);C:\Windows\System32\drivers\MAudioDelta.sys [2012-1-25 339760]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2010-11-21 71168]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-6-24 1432400]
S3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2011-11-2 25928]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2010-11-21 20992]
S3 Synth3dVsc;Synth3dVsc;C:\Windows\System32\drivers\Synth3dVsc.sys [2010-11-21 88960]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\System32\drivers\terminpt.sys [2010-11-21 34816]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-21 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-21 31232]
S3 tsusbhub;tsusbhub;C:\Windows\System32\drivers\tsusbhub.sys [2010-11-21 117248]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2011-8-2 51712]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2009-7-22 61976]
S4 RsFx0103;RsFx0103 Driver;C:\Windows\System32\drivers\RsFx0103.sys [2009-3-30 311656]
S4 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-13 160944]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-3-30 427880]
.
=============== File Associations ===============
.
FileExt: .inf: inffile=C:\Windows\System32\NOTEPAD.EXE %1 [UserChoice]
.
=============== Created Last 30 ================
.
2012-12-01 18:42:14 -------- d-----w- C:\TDSSKiller_Quarantine
2012-12-01 18:16:54 -------- d-----w- C:\Users\Tank\AppData\Roaming\Avira
2012-12-01 18:15:32 88288 ----a-w- C:\Windows\System32\drivers\avgntflt.sys
2012-12-01 18:15:32 -------- d-----w- C:\ProgramData\Avira
2012-12-01 18:15:32 -------- d-----w- C:\Program Files (x86)\Avira
2012-12-01 18:00:05 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-12-01 00:22:31 108008 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll
2012-11-30 16:24:10 -------- d-----w- C:\Program Files (x86)\Audiograbber
2012-11-30 12:52:31 -------- d-----w- C:\Program Files\M-Audio
2012-11-30 12:46:33 -------- d-----w- C:\ProgramData\AVID
2012-11-25 15:46:30 -------- d-----w- C:\Program Files (x86)\LogMeIn Hamachi
2012-11-15 14:10:14 33856 ---ha-w- C:\Windows\System32\hamachi.sys
2012-11-06 18:30:29 -------- d-----w- C:\Users\Tank\AppData\Local\DigitalVolcano
2012-11-06 13:46:39 -------- d-----w- C:\Program Files (x86)\Duplicate Cleaner
2012-11-05 20:48:56 -------- d-----w- C:\Program Files\Common Files\Autodesk Shared
2012-11-05 20:48:56 -------- d-----w- C:\Program Files\Autodesk
2012-11-05 20:45:57 -------- d-----w- C:\Program Files (x86)\Common Files\Autodesk Shared
.
==================== Find3M ====================
.
2012-12-01 00:22:27 916456 ----a-w- C:\Windows\System32\deployJava1.dll
2012-12-01 00:22:27 1034216 ----a-w- C:\Windows\System32\npDeployJava1.dll
2012-11-21 15:30:34 73 ----a-w- C:\Windows\SysWow64\ssprs.dll
2012-11-21 15:30:34 205 ----a-w- C:\Windows\SysWow64\lsprst7.dll
2012-10-15 14:13:57 314016 ----a-w- C:\Windows\System32\drivers\atksgt.sys
2012-10-15 14:13:56 43680 ----a-w- C:\Windows\System32\drivers\lirsgt.sys
2012-10-01 13:36:27 95208 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2012-10-01 13:36:27 821736 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2012-10-01 13:36:27 746984 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-09-29 18:54:26 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-09-23 11:16:14 1025 ----a-w- C:\Windows\SysWow64\sysprs7.dll
2012-09-23 11:16:14 1025 ----a-w- C:\Windows\SysWow64\clauth2.dll
2012-09-23 11:16:14 1025 ----a-w- C:\Windows\SysWow64\clauth1.dll
.
============= FINISH: 23:37:39,91 ===============

Edited by Grogan, 01 December 2012 - 07:53 PM.
Moved from Am I Infected to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 Grogan

Grogan
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 01 December 2012 - 06:35 PM

Oupsy, it seems I forgot the link of the thread on Avira's forum:

http://forum.avira.com/wbb/index.php?page=Thread&postID=1114538

#3 Grogan

Grogan
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 01 December 2012 - 10:27 PM

I runned Eset online scan & it found something:

W32/toolbar.Funmods applications

or

agentsetup183.se.exe

unforunately it couldn't solve the problem cause the virus blocks the installation of the trial version of Eset Nod 32 (even when running it as admin)

I forgot to mention earlier that I couldn't install hijackthis (didn't know I had to install it though, you didn't have to before)

I did a full scan with malwarebytes but didn't find anything.


I was luckier with RogueKiller> it found & solved few things. Here are the logs but I'm not sure what can I do next ?

RogueKiller V8.3.1 [Nov 29 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Safe mode with network support
User : Tank [Admin rights]
Mode : Remove -- Date : 02/12/2012 04:09:24

Bad processes : 0

Registry Entries : 24
[RUN][SUSP PATH] HKLM\[...]\Wow6432Node\RunOnce : C9260CE1-E7CD-449F-8BC3-B7148817684D (cmd.exe /C start /D "C:\Users\Tank\AppData\Local\Temp" /B C9260CE1-E7CD-449F-8BC3-B7148817684D.exe -postboot) -> DELETED
[RUN][SUSP PATH] HKLM\[...]\Wow6432Node\RunOnce : D19E9578-C363-4A3F-BDD4-B9353E1D976A (cmd.exe /C start /D "C:\Users\Tank\AppData\Local\Temp" /B D19E9578-C363-4A3F-BDD4-B9353E1D976A.exe -activeimages -postboot) -> DELETED
[TASK][SUSP PATH] At9.job : c:\windows\hti.exe -> DELETED
[TASK][SUSP PATH] At8.job : c:\windows\bch.exe -> DELETED
[TASK][SUSP PATH] At7.job : c:\windows\dss.exe -> DELETED
[TASK][SUSP PATH] At6.job : C:\windows\cdi.exe -> DELETED
[TASK][SUSP PATH] At5.job : c:\windows\xtr.exe -> DELETED
[TASK][SUSP PATH] At4.job : c:\windows\hti.exe -> DELETED
[TASK][SUSP PATH] At3.job : c:\windows\bch.exe -> DELETED
[TASK][SUSP PATH] At2.job : c:\windows\dss.exe -> DELETED
[TASK][SUSP PATH] At10.job : c:\windows\xtr.exe -> DELETED
[PROXY IE] HKCU\[...]\Internet Settings : ProxyEnable (1) -> NOT REMOVED, USE PROXYFIX
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowDownloads (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowVideos (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowHelp (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

Particular Files / Folders:

Driver : [NOT LOADED]

HOSTS File:
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 activate.adobe.com
127.0.0.1 practivate.adobe.com
127.0.0.1 ereg.adobe.com
127.0.0.1 activate.wip3.adobe.com
127.0.0.1 wip3.adobe.com
127.0.0.1 3dns-3.adobe.com
127.0.0.1 3dns-2.adobe.com
127.0.0.1 adobe-dns.adobe.com
127.0.0.1 adobe-dns-2.adobe.com
127.0.0.1 adobe-dns-3.adobe.com
127.0.0.1 ereg.wip3.adobe.com
127.0.0.1 activate-sea.adobe.com
127.0.0.1 wwis-dubc1-vip60.adobe.com
127.0.0.1 activate-sjc0.adobe.com
67.221.174.30 tagged.com
204.9.178.11 typepad.com
74.113.152.32 istockphoto.com
208.94.0.38 yfrog.com
63.309.5.102 virustotal.com
123.125.50.22 126.com
[...]


MBR Check:

+++++ PhysicalDrive0: SAMSUNG HD501LJ ATA Device +++++
--- User ---
[MBR] 0927b901a763e65d486658d926317807
[BSP] a67c867287f6110add0ded323e09361f : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 2048 | Size: 238534 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 488519680 | Size: 119202 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 732660390 | Size: 119185 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: WDC WD5000AAVS-00ZTB0 ATA Device +++++
--- User ---
[MBR] fb39c0a9b52974c499096062ff3d3f8b
[BSP] ac81c49497f3a39b5fffccbbe6d222fa : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 250003 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 512008192 | Size: 55465 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 625600512 | Size: 58001 Mo
3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 744387840 | Size: 113466 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive2: USB DISK 2.0 USB Device +++++
--- User ---
[MBR] 095320052aa9155e05cc19de1e29816f
[BSP] 46f8d352e5c4e9b6c63835e0cab65431 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 8064 | Size: 15268 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2]_D_02122012_040924.txt >>
RKreport[1]_S_02122012_040654.txt ; RKreport[2]_D_02122012_040924.txt


RogueKiller V8.3.1 [Nov 29 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Safe mode with network support
User : Tank [Admin rights]
Mode : HOSTSFix -- Date : 02/12/2012 04:09:44

Bad processes : 0

Registry Entries : 0

Driver : [NOT LOADED]

HOSTS File:
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 activate.adobe.com
127.0.0.1 practivate.adobe.com
127.0.0.1 ereg.adobe.com
127.0.0.1 activate.wip3.adobe.com
127.0.0.1 wip3.adobe.com
127.0.0.1 3dns-3.adobe.com
127.0.0.1 3dns-2.adobe.com
127.0.0.1 adobe-dns.adobe.com
127.0.0.1 adobe-dns-2.adobe.com
127.0.0.1 adobe-dns-3.adobe.com
127.0.0.1 ereg.wip3.adobe.com
127.0.0.1 activate-sea.adobe.com
127.0.0.1 wwis-dubc1-vip60.adobe.com
127.0.0.1 activate-sjc0.adobe.com
67.221.174.30 tagged.com
204.9.178.11 typepad.com
74.113.152.32 istockphoto.com
208.94.0.38 yfrog.com
63.309.5.102 virustotal.com
123.125.50.22 126.com
[...]


Reset HOSTS:


Finished : << RKreport[3]_H_02122012_040944.txt >>
RKreport[1]_S_02122012_040654.txt ; RKreport[2]_D_02122012_040924.txt ; RKreport[3]_H_02122012_040944.txt


RogueKiller V8.3.1 [Nov 29 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Safe mode with network support
User : Tank [Admin rights]
Mode : ProxyFix -- Date : 02/12/2012 04:10:24

Bad processes : 0

Registry Entries : 1
[PROXY IE] HKCU\[...]\Internet Settings : ProxyEnable (1) -> NOT SELECTED

Driver : [NOT LOADED]

Finished : << RKreport[4]_PR_02122012_041024.txt >>
RKreport[1]_S_02122012_040654.txt ; RKreport[2]_D_02122012_040924.txt ; RKreport[3]_H_02122012_040944.txt ; RKreport[4]_PR_02122012_041024.txt





If you have any ideas on what should I do next !
Thanks !

#4 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:12:02 AM

Posted 04 December 2012 - 09:53 PM

Hello Grogan,

My name is Cody and I'll be helping you clean up your computer.

I will reply as soon as possible (typically within 48 hours). In turn, I ask that you please respond within 72 hours. If you know you will be away longer than that, I just ask for notice ahead of time.

Some points for you to keep in mind:

  • Do NOT run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Do not attach logs or use code boxes, just copy and paste the text.
    • It's simply easier for me to analyze logs in this format.
  • Provide feedback about your experience as we go.
    • Every post you make, please describe in detail how the computer is behaving. "The same" is not detailed enough. If you have any questions at any point, feel free to ask.

NOTE: When you post your reply, do not use the Posted Image button but use the Posted Image button instead.

In the upper right hand corner of the topic you will see the Posted Image button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

-----------------------------------------

Also, since you have made some changes since the original post, I would like to see a new DDS.txt log and attach.txt log in your next post, please.

Edited by TheShooter93, 04 December 2012 - 09:54 PM.

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Cyber Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.

 

 


#5 Grogan

Grogan
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 05 December 2012 - 04:56 AM

That's alright ! Problems solved !

Thanks !

#6 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:12:02 AM

Posted 05 December 2012 - 08:56 AM

You're welcome. :thumbup2:

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Cyber Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.

 

 


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,203 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:02 AM

Posted 05 December 2012 - 10:42 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users