Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zero access kit virus/ Having problems installing dds program


  • This topic is locked This topic is locked
13 replies to this topic

#1 getmadnow17

getmadnow17

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 27 June 2013 - 06:23 AM

Hi again,

 

I made a thread a couple of days ago about my zero access root kit virus issue.

 

Earlier this month, I was infected with a blaster worm virus. I took the advice from another site and downloaded anvi defender. The Anvi defender removed the blaster worm but since installing it, I have not been able to download anything.  Any file I try to download, I get a window message that file ‘contained a virus and was deleted’ which apparently means I have been affected with a zero access root kit virus. I downloaded the mcafee rootkit removal program to no avail. What’s the best way to remove it?’

http://www.bleepingcomputer.com/forums/t/499181/zero-access-root-kill-virus-how-do-i-remove-it/#entry3087539

 

 

 I received a response pretty quickly after. I followed the preparation steps but I have had problems fully installing the DDS program.  I have attempted to install a couple of times and it keeps stalling at the 75%-80% mark.  I don’t know what to do.

 

 



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:22 PM

Posted 28 June 2013 - 03:47 AM

I will need you to download this program from a clean computer and transfer it to this computer to run.


I would like to get some more information from the computer so I would like you to run this for me.


Please download the Farbar Recovery Scan Tool from here:

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Double-click to run it.
When the tool opens click Yes to disclaimer.
Press the Scan button.
It will make a log (FRST.txt) in the same directory the tool is run.

Please attach that log to your reply.
The first time the tool is run, it makes a second log (Addition.txt).
Please attach that to your reply as well
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 getmadnow17

getmadnow17
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 28 June 2013 - 03:13 PM

Thanks for your response. I finally got the DDS program to download, It produced 2 logs which I have attached to this post. I will get on to downloading the farbar program now.

Attached Files



#4 getmadnow17

getmadnow17
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 28 June 2013 - 03:47 PM

Downloaded Farbar. Here are the two logs it produced:

 

Attached Files



#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:22 PM

Posted 29 June 2013 - 01:41 PM

Hello getmadnow17



I need you to download this script I have made for you --> Attached File  fixlist.txt   438bytes   4 downloads

It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

Run FRST again but this time press the Fix button just once and wait.


When finished, it will make a log (fixlog.txt) next to FRST. Please copy and paste the content of this file to your reply.


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


Gringo

Edited by gringo_pr, 29 June 2013 - 01:43 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 getmadnow17

getmadnow17
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 29 June 2013 - 06:13 PM

Thanks for your response!

 

I'm not sure If i did it right but I have pasted the log below. I didn't know what you meant by ' It needs to be saved Next to the Farbar Recovery' so I just pasted it on top on the frst icon. Sorry if I wasn't supposed to do that.

 

Here's the log::

 

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 27-06-2013
Ran by Mummy at 2013-06-29 23:56:59 Run:1
Running from C:\Users\Mummy\Desktop
Boot Mode: Normal

==============================================

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Internet Security => Value deleted successfully.
MFE_RR => Service deleted successfully.
C:\$Recycle.Bin\S-1-5-21-1454746171-1505024422-1534850942-1000\$0524e6e2e0bfe6743824fa824ddd0de8 => Moved successfully.
C:\$Recycle.Bin\S-1-5-18\$0524e6e2e0bfe6743824fa824ddd0de8 => Moved successfully.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
"C:\Program Files\Windows Defender\en-US" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MpAsDesc.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MpClient.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MpCmdRun.exe" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MpCommu.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MpEvMsg.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MpOAV.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MpRTP.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MpSvc.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MSASCui.exe" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MsMpCom.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MsMpLics.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender\MsMpRes.dll" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client" => Not Found

=========  Dir /b /a:l "C:\Program Files" /s =========

File Not Found

========= End of CMD: =========

==== End of Fixlog ====



#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:22 PM

Posted 29 June 2013 - 08:46 PM



Hello getmadnow17

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 getmadnow17

getmadnow17
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 29 June 2013 - 10:16 PM

I can finally download again. Thank you so much. My paycheck is coming in on Wednesday and the 1st thing I'm going to do is make a donation to you. Thank you, Thank you, Thank You!!!

 

I don't know if you still need the logs but i'll post them anyways

 

# AdwCleaner v2.303 - Logfile created 06/30/2013 at 03:57:27
# Updated 08/06/2013 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (32 bits)
# User : Mummy - MUMMY-PC
# Boot Mode : Normal
# Running from : C:\Users\Mummy\Desktop\AdwCleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

File Deleted : C:\Users\Mummy\AppData\Local\Temp\Uninstall.exe
Folder Deleted : C:\Program Files\BasicScan
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\HappyLyrics
Folder Deleted : C:\Program Files\Iminent
Folder Deleted : C:\ProgramData\Babylon
Folder Deleted : C:\ProgramData\BasicScan
Folder Deleted : C:\ProgramData\Tarma Installer
Folder Deleted : C:\Users\Mummy\AppData\Local\Conduit
Folder Deleted : C:\Users\Mummy\AppData\Local\SnappyDeeSA
Folder Deleted : C:\Users\Mummy\AppData\Local\Temp\avg@toolbar
Folder Deleted : C:\Users\Mummy\AppData\Local\Temp\Wajam
Folder Deleted : C:\Users\Mummy\AppData\Local\Tiger Savings
Folder Deleted : C:\Users\Mummy\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Mummy\AppData\LocalLow\PriceGong
Folder Deleted : C:\Users\Mummy\AppData\Roaming\Babylon

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\BabylonToolbar
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Cr_Installer
Key Deleted : HKCU\Software\Iminent
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33524C00-63FB-43DB-A6BF-0A4E14B24649}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02054E11-5113-4BE3-8153-AA8DFB5D3761}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{021B4049-F57D-4565-A693-FD3B04786BFA}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0362AA09-808D-48E9-B360-FB51A8CBCE09}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{06844020-CD0B-3D3D-A7FE-371153013E49}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0ADC01BB-303B-3F8E-93DA-12C140E85460}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{10D3722F-23E6-3901-B6C1-FF6567121920}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1675E62B-F911-3B7B-A046-EB57261212F3}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{192929F2-9273-3894-91B0-F54671C4C861}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2932897E-3036-43D9-8A64-B06447992065}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2DE92D29-A042-3C37-BFF8-07C7D8893EFA}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{32B80AD6-1214-45F4-994E-78A5D482C000}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3A8E103F-B2B7-3BEF-B3B0-88E29B2420E4}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{478CE5D3-D38E-3FFE-8DBE-8C4A0F1C4D8D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{48B7DA4E-69ED-39E3-BAD5-3E3EFF22CFB0}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5982F405-44E4-3BBB-BAC4-CF8141CBBC5C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5D8C3CC3-3C05-38A1-B244-924A23115FE9}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{641593AF-D9FD-30F7-B783-36E16F7A2E08}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{711FC48A-1356-3932-94D8-A8B733DBC7E4}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{72227B7F-1F02-3560-95F5-592E68BACC0C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{7B5E8CE3-4722-4C0E-A236-A6FF731BEF37}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{890D4F59-5ED0-3CB4-8E0E-74A5A86E7ED0}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8C68913C-AC3C-4494-8B9C-984D87C85003}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8D019513-083F-4AA5-933F-7D43A6DA82C4}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{923F6FB8-A390-370E-A0D2-DD505432481D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9BBB26EF-B178-35D6-9D3D-B485F4279FE5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A62DDBE0-8D2A-339A-B089-8CBCC5CD322A}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A82AD04D-0B8E-3A49-947B-6A69A8A9C96D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{ADEB3CC9-A05D-4FCC-BD09-9025456AA3EA}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B06D4521-D09C-3F41-8E39-9D784CCA2A75}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C06DAD42-6F39-4CE1-83CC-9A8B9105E556}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C2E799D0-43A5-3477-8A98-FC5F3677F35C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D16107CD-2AD5-46A8-BA59-303B7C32C500}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D25B101F-8188-3B43-9D85-201F372BC205}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D2BA7595-5E44-3F1E-880F-03B3139FA5ED}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D35F5C81-17D9-3E1C-A1FC-4472542E1D25}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D8FA96CA-B250-312C-AF34-4FF1DD72589D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DAFC1E63-3359-416D-9BC2-E7DCA6F7B0F3}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DC5E5C44-80FD-3697-9E65-9F286D92F3E7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E1B4C9DE-D741-385F-981E-6745FACE6F01}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7B623F5-9715-3F9F-A671-D1485A39F8A2}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{ED916A7B-7C68-3198-B87D-2DABC30A5587}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EFA1BDB2-BB3D-3D9A-8EB5-D0D22E0F64F4}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F4CBF4DD-F8FE-35BA-BB7E-68304DAAB70B}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FC32005D-E27C-32E0-ADFA-152F598B75E7}
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3220468
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2BF2028E-3F3C-4C05-AB45-B2F1DCFE0759}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{DB538320-D3C5-433C-BCA9-C4081A054FCF}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\Iminent
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68B81CCD-A80C-4060-8947-5AE69ED01199}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E6B969FB-6D33-48D2-9061-8BBD4899EB08}
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Iminent_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Iminent_RASMANCS
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0238BBE24EA3A70408B81E4BB89C15E5
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\29799DE249E7DBC459FC6C8F07EB8375
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F7652513C62FF63448CFF05163719DB7
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchTheWebARP
Key Deleted : HKLM\Software\Tarma Installer
Key Deleted : HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{33524C00-63FB-43DB-A6BF-0A4E14B24649}

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16611

[OK] Registry is clean.

-\\ Mozilla Firefox v21.0 (en-GB)

File : C:\Users\Mummy\AppData\Roaming\Mozilla\Firefox\Profiles\vp5fa1p7.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [8734 octets] - [30/06/2013 03:57:27]

########## EOF - C:\AdwCleaner[S1].txt - [8794 octets] ##########

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Windows 7 Ultimate x86
Ran by Mummy on Sun 06/30/2013 at  4:01:28.19
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{6B758C3B-E4B9-4D50-AAF4-6D33BF186908}

 

~~~ Files

 

~~~ Folders

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 06/30/2013 at  4:04:10.76
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

 

 

 

I was also wondering how do I prevent my laptop from contracting this kind of virus again?



#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:22 PM

Posted 29 June 2013 - 11:07 PM


Hello getmadnow17

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 getmadnow17

getmadnow17
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 30 June 2013 - 09:38 AM

I downloaded combofix but it didn't produce any logs. I downloaded it twice but no logs



#11 getmadnow17

getmadnow17
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 30 June 2013 - 10:28 AM

My mistake. A hour after downloading the program, it started running properly and produced this log

 

 

ComboFix 13-06-30.01 - Mummy 06/30/2013  15:55:43.1.2 - x86
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.1014.256 [GMT 1:00]
Running from: c:\users\Mummy\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\d23036d1441e839d4cd4b6963d7c5ba7_c
c:\users\Mummy\AppData\Local\.#
c:\users\Mummy\AppData\Local\.#\MBX@14E4@1501F90.###
c:\users\Mummy\AppData\Local\.#\MBX@14E4@1501FA0.###
c:\users\Mummy\AppData\Local\.#\MBX@14E4@1502090.###
c:\users\Mummy\AppData\Local\.#\MBX@14E4@15020B0.###
c:\users\Mummy\AppData\Local\.#\MBX@814@201F90.###
c:\users\Mummy\AppData\Local\.#\MBX@814@201FA0.###
c:\users\Mummy\AppData\Local\.#\MBX@814@202090.###
c:\users\Mummy\AppData\Local\.#\MBX@814@2020B0.###
c:\users\Mummy\AppData\Local\.#\MBX@818@3C1F90.###
c:\users\Mummy\AppData\Local\.#\MBX@818@3C1FA0.###
c:\users\Mummy\AppData\Local\.#\MBX@818@3C2090.###
c:\users\Mummy\AppData\Local\.#\MBX@818@3C20B0.###
c:\users\Mummy\AppData\Local\Microsoft\Windows\Temporary Internet Files\{47B8C1B7-125F-47A5-ADBB-F80ACF8D7F3C}.xps
c:\users\Mummy\AppData\Local\Microsoft\Windows\Temporary Internet Files\{ABA6CB23-FF6F-46E3-98CC-8281D9DCD91B}.xps
c:\users\Public\sdelevURL.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2013-05-28 to 2013-06-30  )))))))))))))))))))))))))))))))
.
.
2013-06-30 15:15 . 2013-06-30 15:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-06-30 13:22 . 2013-06-12 04:18 7068072 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C057F2FE-6AFC-400F-B4F3-500EDF4B604B}\mpengine.dll
2013-06-30 03:01 . 2013-06-30 03:01 -------- d-----w- c:\windows\ERUNT
2013-06-30 03:00 . 2013-06-30 03:01 -------- d-----w- C:\JRT
2013-06-28 20:39 . 2013-06-29 22:57 -------- d-----w- C:\FRST
2013-06-13 02:04 . 2013-06-08 11:13 2706432 ----a-w- c:\windows\system32\mshtml.tlb
2013-06-13 02:04 . 2013-06-08 11:41 218112 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2013-06-12 20:24 . 2013-04-25 23:30 1505280 ----a-w- c:\windows\system32\d3d11.dll
2013-06-12 20:24 . 2013-05-10 03:20 24576 ----a-w- c:\windows\system32\cryptdlg.dll
2013-06-12 20:24 . 2013-04-26 04:55 492544 ----a-w- c:\windows\system32\win32spl.dll
2013-06-12 20:24 . 2013-05-13 04:45 1160192 ----a-w- c:\windows\system32\crypt32.dll
2013-06-12 20:24 . 2013-05-13 04:45 103936 ----a-w- c:\windows\system32\cryptnet.dll
2013-06-12 20:24 . 2013-05-13 03:08 903168 ----a-w- c:\windows\system32\certutil.exe
2013-06-12 20:24 . 2013-05-13 04:45 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2013-06-12 20:24 . 2013-05-13 03:08 43008 ----a-w- c:\windows\system32\certenc.dll
2013-06-12 20:24 . 2013-04-17 07:02 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll
2013-06-12 20:24 . 2013-05-06 05:06 3913576 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-06-12 20:24 . 2013-05-06 05:06 3968872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-06-12 20:24 . 2013-05-08 05:38 1293672 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-06-12 09:27 . 2013-06-24 00:25 -------- d-----w- c:\users\Mummy\AppData\Roaming\Anvisoft
2013-06-12 09:27 . 2013-06-12 09:27 -------- d-----w- c:\programdata\Anvisoft
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-11 22:05 . 2012-04-08 11:36 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-11 22:05 . 2012-04-08 11:36 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-02 02:17 . 2013-05-02 02:17 745472 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2013-05-02 02:17 . 2013-05-02 02:17 185344 ----a-w- c:\windows\system32\elshyph.dll
2013-05-02 02:17 . 2013-05-02 02:17 158720 ----a-w- c:\windows\system32\msls31.dll
2013-05-02 02:17 . 2013-05-02 02:17 138752 ----a-w- c:\windows\system32\wextract.exe
2013-05-02 02:17 . 2013-05-02 02:17 150528 ----a-w- c:\windows\system32\iexpress.exe
2013-05-02 02:17 . 2013-05-02 02:17 523264 ----a-w- c:\windows\system32\vbscript.dll
2013-05-02 02:17 . 2013-05-02 02:17 137216 ----a-w- c:\windows\system32\ieUnatt.exe
2013-05-02 02:17 . 2013-05-02 02:17 12800 ----a-w- c:\windows\system32\mshta.exe
2013-05-02 02:17 . 2013-05-02 02:17 38400 ----a-w- c:\windows\system32\imgutil.dll
2013-05-02 02:17 . 2013-05-02 02:17 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2013-05-02 02:17 . 2013-05-02 02:17 73728 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2013-05-02 02:17 . 2013-05-02 02:17 48640 ----a-w- c:\windows\system32\mshtmler.dll
2013-05-02 02:17 . 2013-05-02 02:17 61952 ----a-w- c:\windows\system32\tdc.ocx
2013-05-02 02:17 . 2013-05-02 02:17 361984 ----a-w- c:\windows\system32\html.iec
2013-05-02 02:17 . 2013-05-02 02:17 719360 ----a-w- c:\windows\system32\mshtmlmedia.dll
2013-05-02 02:17 . 2013-05-02 02:17 1441280 ----a-w- c:\windows\system32\inetcpl.cpl
2013-05-02 02:17 . 2013-05-02 02:17 23040 ----a-w- c:\windows\system32\licmgr10.dll
2013-05-02 02:14 . 2013-05-02 02:14 49152 ----a-w- c:\windows\system32\taskhost.exe
2013-05-02 02:13 . 2013-05-02 02:13 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-05-02 02:13 . 2013-05-02 02:13 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-05-02 02:13 . 2013-05-02 02:13 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-05-02 02:13 . 2013-05-02 02:13 4096 ---ha-w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-05-02 02:13 . 2013-05-02 02:13 364544 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2013-05-02 02:13 . 2013-05-02 02:13 3584 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-05-02 02:13 . 2013-05-02 02:13 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2013-05-02 02:13 . 2013-05-02 02:13 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-05-02 02:13 . 2013-05-02 02:13 2560 ---ha-w- c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-05-02 02:13 . 2013-05-02 02:13 1158144 ----a-w- c:\windows\system32\XpsPrint.dll
2013-05-02 02:13 . 2013-05-02 02:13 10752 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-05-02 02:13 . 2013-05-02 02:13 2284544 ----a-w- c:\windows\system32\msmpeg2vdec.dll
2013-05-02 02:13 . 2013-05-02 02:13 906240 ----a-w- c:\windows\system32\FntCache.dll
2013-05-02 02:13 . 2013-05-02 02:13 417792 ----a-w- c:\windows\system32\WMPhoto.dll
2013-05-02 02:13 . 2013-05-02 02:13 1247744 ----a-w- c:\windows\system32\DWrite.dll
2013-05-02 02:13 . 2013-05-02 02:13 249856 ----a-w- c:\windows\system32\d3d10_1core.dll
2013-05-02 02:13 . 2013-05-02 02:13 220160 ----a-w- c:\windows\system32\d3d10core.dll
2013-05-02 02:13 . 2013-05-02 02:13 207872 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2013-05-02 02:13 . 2013-05-02 02:13 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2013-05-02 02:13 . 2013-05-02 02:13 1080832 ----a-w- c:\windows\system32\d3d10.dll
2013-05-02 02:13 . 2013-05-02 02:13 604160 ----a-w- c:\windows\system32\d3d10level9.dll
2013-05-02 02:13 . 2013-05-02 02:13 3419136 ----a-w- c:\windows\system32\d2d1.dll
2013-05-02 02:13 . 2013-05-02 02:13 1988096 ----a-w- c:\windows\system32\d3d10warp.dll
2013-05-02 02:13 . 2013-05-02 02:13 293376 ----a-w- c:\windows\system32\dxgi.dll
2013-05-02 02:13 . 2013-05-02 02:13 187392 ----a-w- c:\windows\system32\UIAnimation.dll
2013-05-02 01:06 . 2012-04-08 11:46 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-05-01 02:49 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2013-04-13 04:45 . 2013-05-15 02:52 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45 . 2013-05-15 02:52 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-04-12 13:45 . 2013-04-25 02:07 1211752 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-10 05:18 . 2013-05-15 02:53 728424 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-04-10 05:18 . 2013-05-15 02:53 218984 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2013-04-10 03:14 . 2013-05-15 02:52 2347520 ----a-w- c:\windows\system32\win32k.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-24 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-24 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-24 150552]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2013-05-01 280576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2012-04-09 685816]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-04-25 1343400]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-08 22:05]
.
2013-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-04-08 11:36]
.
2013-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-04-08 11:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Mummy\AppData\Roaming\Mozilla\Firefox\Profiles\vp5fa1p7.default\
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1454746171-1505024422-1534850942-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{AE541776-656E-67B8-BE64-5424A14E21F1}*]
"hacjfffnggehanne"=hex:6a,61,65,66,67,6f,67,66,6f,6f,6a,6e,65,6b,6a,66,6c,6b,
   61,64,00,00
"iaehdedpcgmebdmdbe"=hex:63,61,68,66,65,6f,00,00
"iaiidponjdlfhhjjcd"=hex:6a,61,65,66,67,6f,67,66,6f,6f,6a,6e,65,6b,6a,66,6c,6b,
   61,64,00,00
"dbdigdmbdhjfbpeogfecfhedkpcdkgphchfihplm"=hex:68,61,6c,6b,65,62,64,66,65,68,
   70,6d,68,70,6f,6e,00,00
"jbdigdmbdhjfbpeogfecikhiickcpomggegaamffdepenpgdojfd"=hex:68,61,6c,6b,65,62,
   64,66,65,68,70,6d,68,70,6f,6e,00,00
"dbdigdmbdhjfbpeogfecgkpfgbjhioacpdcfglac"=hex:62,61,63,68,00,00
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-06-30  16:21:10
ComboFix-quarantined-files.txt  2013-06-30 15:21
.
Pre-Run: 40,145,862,656 bytes free
Post-Run: 43,246,346,240 bytes free
.
- - End Of File - - 61A61A678A3E993E0EF7DCE19AEC434B
A36C5E4F47E84449FF07ED3517B43A31
 



#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:22 PM

Posted 03 July 2013 - 01:09 AM


Hello getmadnow17

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:22 PM

Posted 07 July 2013 - 02:14 AM



Hello

48 Hour bump

It has been more than 48 hours since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:22 PM

Posted 10 July 2013 - 01:24 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users