Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zeroaccess rootkit, helper pointed me here


  • This topic is locked This topic is locked
7 replies to this topic

#1 totalnoob23

totalnoob23

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 12 October 2013 - 11:49 AM

my computer is barley usable, i have popups everywhere and when i try and use Google chrome it just says "you could be communicating with an attacker". If i go on to Microsoft internet explorer it just redirects to somewhere else when i try to go on any website, It also keeps playing and sounds by its self!
 
 
The only other tool that i could get to run was rkill , Im not sure if i am meant to post it here too so sorry if im not.
 
Rkill 2.6.1 by Lawrence Abrams (Grinler)
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 10/12/2013 05:10:03 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
 
Checking for Windows services to stop:
 
 * IBUpdaterService Stopped. [Sweetpacks-Adware]
 
1 service stopped!
 
Checking for processes to terminate:
 
 * C:\Users\mike\AppData\Roaming\Jenue\wuacaq.exe (PID: 2812) [UP-HEUR]
 * C:\Users\mike\AppData\Local\Temp\MRRE940\load58.exe (PID: 2616) [UP-HEUR]
 * C:\Users\mike\AppData\Local\Temp\MRRE940\load58.exe (PID: 2616) [T-HEUR]
 
3 proccesses terminated!
 
Checking Registry for malware related settings:
 
 * Explorer Policy Removed:  NoActiveDesktopChanges [HKLM]
 
Backup Registry file created at:
 C:\Users\mike\Desktop\rkill\rkill-10-12-2013-05-10-23.reg
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Modified HKCU\...\Winlogon: [Shell] => explorer.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-82290\aara9.exe
 
 * ALERT: ZEROACCESS rootkit symptoms found!
 
     * C:\Program Files (x86)\Google\Desktop\Install\{e7801810-69d4-06cd-f2ab-f554a788b2bf}\ [ZA Dir]
     * C:\Program Files (x86)\Google\Desktop\Install\{e7801810-69d4-06cd-f2ab-f554a788b2bf}\   \ [ZA Dir]
     * C:\Program Files (x86)\Google\Desktop\Install\{e7801810-69d4-06cd-f2ab-f554a788b2bf}\   \...\ [ZA Dir]
     * C:\Program Files (x86)\Google\Desktop\Install\{e7801810-69d4-06cd-f2ab-f554a788b2bf}\   \...\ﯹ๛\ [ZA Dir]
     * C:\Program Files (x86)\Google\Desktop\Install\{e7801810-69d4-06cd-f2ab-f554a788b2bf}\   \...\ﯹ๛\{e7801810-69d4-06cd-f2ab-f554a788b2bf}\ [ZA Dir]
     * C:\Users\mike\AppData\Local\Google\Desktop\Install\{e7801810-69d4-06cd-f2ab-f554a788b2bf}\ [ZA Dir]
     * C:\Users\mike\AppData\Local\Google\Desktop\Install\{e7801810-69d4-06cd-f2ab-f554a788b2bf}\❤≸⋙\ [ZA Dir]
     * C:\Users\mike\AppData\Local\Google\Desktop\Install\{e7801810-69d4-06cd-f2ab-f554a788b2bf}\❤≸⋙\Ⱒ☠⍨\ [ZA Dir]
     * C:\Users\mike\AppData\Local\Google\Desktop\Install\{e7801810-69d4-06cd-f2ab-f554a788b2bf}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\ [ZA Dir]
     * C:\Users\mike\AppData\Local\Google\Desktop\Install\{e7801810-69d4-06cd-f2ab-f554a788b2bf}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\{e7801810-69d4-06cd-f2ab-f554a788b2bf}\ [ZA Dir]
     * C:\Windows\assembly\GAC_32\Desktop.ini [ZA File]
     * C:\Windows\assembly\GAC_64\Desktop.ini [ZA File]
 
 * ALERT: ZEROACCESS Reparse Point/Junction found!
 
     * C:\Program Files\Windows Defender\en-US => c:\windows\system32\config\ [Dir]
     * C:\Program Files\Windows Defender\MpAsDesc.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpClient.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpCmdRun.exe => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpCommu.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpEvMsg.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpOAV.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpRTP.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpSvc.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MSASCui.exe => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MsMpCom.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MsMpLics.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MsMpRes.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender-events_31bf3856ad364e35_6.1.7600.16385_none_118cf1dcd54a3dea\MpEvMsg.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpAsDesc.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpClient.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpCmdRun.exe => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpCommu.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpOAV.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpRTP.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpSvc.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MSASCui.exe => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MsMpCom.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MsMpLics.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MsMpRes.dll => c:\windows\system32\config [File]
 
Checking Windows Service Integrity: 
 
 * Windows Firewall Authorization Driver (mpsdrv) is not Running.
   Startup Type set to: Manual
 
 * BFE [Missing Service]
 * BITS [Missing Service]
 * iphlpsvc [Missing Service]
 * WinDefend [Missing Service]
 * wscsvc [Missing Service]
 * wuauserv [Missing Service]
 
 * MpsSvc [Missing ImagePath]
 * SharedAccess [Missing ImagePath]
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 10/12/2013 05:10:53 PM
Execution time: 0 hours(s), 0 minute(s), and 50 seconds(s)
 
 
 
 
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 8.0.7601.17514
Run by Mike at 17:28:06 on 2013-10-12
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.44.1033.18.4011.1174 [GMT 1:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Free Ride Games\GPlayer.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\mike\AppData\Roaming\Web Cake\WebCakeDesktop.exe
C:\Program Files (x86)\MyPC Backup\MyPC Backup.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Program Files (x86)\Web Cake\WDesktop.Updater.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Google\Update\Install\{D3E434A9-B039-426E-BDA9-6924544F3D39}\29.0.1547.66_28.0.1500.95_chrome_updater.exe
C:\Windows\TEMP\CR_8BD74.tmp\setup.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\taskhost.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\svchost.exe -k defragsvc
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uWinlogon: Shell = explorer.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-82290\aara9.exe
mWinlogon: Userinit = userinit.exe
BHO: Speed Analysis 2: {18DBB6CE-3148-4FEC-B481-103CB3290427} - C:\Program Files (x86)\Speed Analysis 2\ScriptHost.dll
BHO: WebCake: {2A5A2A90-3B30-4E6E-A955-2F232C6EF517} - C:\Program Files (x86)\Betcat\WebCakeIEClient.dll
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll
BHO: Lyrics Search: {3DFC1C2B-3ECE-439D-8A9D-5C56C56E4C8A} - C:\Program Files (x86)\LyricSearch\lfind.dll
BHO: delta Helper Object: {C1AF5FA5-852C-4C90-812E-A7F75E011D87} - C:\Program Files (x86)\Delta\delta\1.8.22.0\bh\delta.dll
TB: Delta Toolbar: {82E1477C-B154-48D3-9891-33D83C26BCD3} - C:\Program Files (x86)\Delta\delta\1.8.22.0\deltaTlbr.dll
uRun: [Yfofyl] C:\Users\mike\AppData\Roaming\Ilobow\yfofyl.exe
uRun: [aa0rab9] C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-82290\aara9.exe
uRun: [Exetender] "C:\Program Files (x86)\Free Ride Games\GPlayer.exe" /runonstartup
uRun: [NTRedirect] C:\Windows\SysWOW64\rundll32.exe  "C:\Users\mike\AppData\Roaming\BabSolution\Shared\enhancedNT.dll",Run
uRun: [WebCake Desktop] C:\Users\mike\AppData\Roaming\Betcat\WebCakeDesktop.exe
uRun: [Audio Driver] C:\Users\mike\AppData\Local\csrss.exe
uRun: [Wuacaq] C:\Users\mike\AppData\Roaming\Jenue\wuacaq.exe
mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe"  -osboot
dRun: [Exetender] "C:\Program Files (x86)\Free Ride Games\GPlayer.exe" /runonstartup
StartupFolder: C:\Users\mike\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MYPCBA~1.LNK - C:\Program Files (x86)\MyPC Backup\MyPC Backup.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
LSP: mswsock.dll
LSP: %SystemRoot%\system32\vsocklib.dll
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} - 
TCP: NameServer = 192.168.232.2
TCP: Interfaces\{1BEA9A02-648A-4C15-8A8F-79221315FE56} : DHCPNameServer = 192.168.232.2
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.95\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [2013-4-16 39056]
R2 X5XSEx_Pr143;X5XSEx_Pr143;C:\Program Files (x86)\Free Ride Games\X5XSEx_Pr143.sys [2013-7-30 56136]
S2 BackupStack;Computer Backup (MyPC Backup);C:\Program Files (x86)\MyPC Backup\BackupStack.exe [2013-7-1 32808]
S2 BasicServe Service;BasicServe Service;"C:\Program Files (x86)\BasicServe\basicserve.exe" "C:\Program Files (x86)\BasicServe\basicserve.dll" pininupa yaseyigute --> C:\Program Files (x86)\BasicServe\basicserve.exe [?]
S2 IBUpdaterService;Updater Service;C:\ProgramData\IBUpdaterService\ibsvc.exe [2013-7-30 825376]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-21 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-21 31232]
.
=============== Created Last 30 ================
.
.
==================== Find3M  ====================
.
2013-08-01 21:06:35 502318 ----a-w- C:\ProgramData\1375390820.bdinstall.bin
2013-08-01 20:47:27 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-08-01 20:47:27 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-07-30 17:45:46 499712 ----a-w- C:\Windows\SysWow64\msvcp71.dll
2013-07-30 17:45:46 348160 ----a-w- C:\Windows\SysWow64\msvcr71.dll
.
============= FINISH: 17:29:03.30 ===============
 


BC AdBot (Login to Remove)

 


#2 totalnoob23

totalnoob23
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 12 October 2013 - 11:56 AM

I am not able to attach the other log, it just freezes



#3 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:15 AM

Posted 12 October 2013 - 02:20 PM

Hello and welcome.  Please follow these guidelines while we work on your PC:

  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.”  Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.

icon11.gif   Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#4 totalnoob23

totalnoob23
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 12 October 2013 - 02:55 PM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-10-2013
Ran by mike (administrator) on mike-PC on 12-10-2013 20:25:35
Running from C:\Users\mike\Documents
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(Exent Technologies Ltd.) C:\Program Files (x86)\Free Ride Games\GPlayer.exe
(Bake Cake) C:\Users\mike\AppData\Roaming\Web Cake\WebCakeDesktop.exe
(MyPCBackup.com) C:\Program Files (x86)\MyPC Backup\MyPC Backup.exe
() C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
(cake bake) C:\Program Files (x86)\Web Cake\WDesktop.Updater.exe
(RealNetworks, Inc.) C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe
() C:\Program Files (x86)\Google\Update\Install\{D3E434A9-B039-426E-BDA9-6924544F3D39}\29.0.1547.66_28.0.1500.95_chrome_updater.exe
(Google Inc.) C:\Windows\TEMP\CR_8BD74.tmp\setup.exe
 
==================== Registry (Whitelisted) ==================
 
HKCU\...\Run: [Yfofyl] - C:\Users\mike\AppData\Roaming\Ilobow\yfofyl.exe
HKCU\...\Run: [aa0rab9] - C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-82290\aara9.exe
HKCU\...\Run: [Exetender] - C:\Program Files (x86)\Free Ride Games\GPlayer.exe [4989848 2013-07-14] (Exent Technologies Ltd.)
HKCU\...\Run: [NTRedirect] - C:\Windows\SysWOW64\rundll32.exe  "C:\Users\mike\AppData\Roaming\BabSolution\Shared\enhancedNT.dll",Run
HKCU\...\Run: [WebCake Desktop] - C:\Users\mike\AppData\Roaming\Betcat\WebCakeDesktop.exe [52504 2013-09-04] (Bake Cake)
HKCU\...\Run: [Audio Driver] - C:\Users\mike\AppData\Local\csrss.exe
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKCU\...\Run: [Wuacaq] - C:\Users\mike\AppData\Roaming\Jenue\wuacaq.exe [404480 2013-08-04] (Solutionphrase Inc.)
HKCU\...\Winlogon: [Shell] explorer.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-82290\aara9.exe <==== ATTENTION 
HKLM-x32\...\Run: [TkBellExe] - C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe [295512 2013-07-30] (RealNetworks, Inc.)
Startup: C:\Users\mike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk
ShortcutTarget: MyPC Backup.lnk -> C:\Program Files (x86)\MyPC Backup\MyPC Backup.exe (MyPCBackup.com)
 
==================== Internet (Whitelisted) ====================
 
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKCU - {47AE1BA9-0BD1-44F4-88AE-45F8F7B605EF} URL = http://www.basicserve.com/?prt=bscsrvgup&sp=bing&keywords={searchTerms}
BHO-x32: Speed Analysis 2 - {18DBB6CE-3148-4FEC-B481-103CB3290427} - C:\Program Files (x86)\Speed Analysis 2\ScriptHost.dll (SpeedAnalysis.com)
BHO-x32: WebCake - {2A5A2A90-3B30-4E6E-A955-2F232C6EF517} - C:\Program Files (x86)\Betcat\WebCakeIEClient.dll (Let Them Eat Web-Cake LLC)
BHO-x32: RealNetworks Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
BHO-x32: Lyrics Search - {3DFC1C2B-3ECE-439D-8A9D-5C56C56E4C8A} - C:\Program Files (x86)\LyricSearch\lfind.dll (Bjornet Industries)
BHO-x32: delta Helper Object - {C1AF5FA5-852C-4C90-812E-A7F75E011D87} - C:\Program Files (x86)\Delta\delta\1.8.22.0\bh\delta.dll (Delta-search.com)
Toolbar: HKLM-x32 - Delta Toolbar - {82E1477C-B154-48D3-9891-33D83C26BCD3} - C:\Program Files (x86)\Delta\delta\1.8.22.0\deltaTlbr.dll (Delta-search.com)
DPF: HKLM-x32 {6A060448-60F9-11D5-A6CD-0002B31F7455} 
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9 01 mswsock.dll File Not found ()
Winsock: Catalog9 02 mswsock.dll File Not found ()
Winsock: Catalog9 03 mswsock.dll File Not found ()
Winsock: Catalog9 04 mswsock.dll File Not found ()
Winsock: Catalog9 05 mswsock.dll File Not found ()
Winsock: Catalog9 06 mswsock.dll File Not found ()
Winsock: Catalog9 07 mswsock.dll File Not found ()
Winsock: Catalog9 08 mswsock.dll File Not found ()
Winsock: Catalog9 09 mswsock.dll File Not found ()
Winsock: Catalog9 10 mswsock.dll File Not found ()
Winsock: Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9-x64 01 mswsock.dll File Not found ()
Winsock: Catalog9-x64 02 mswsock.dll File Not found ()
Winsock: Catalog9-x64 03 mswsock.dll File Not found ()
Winsock: Catalog9-x64 04 mswsock.dll File Not found ()
Winsock: Catalog9-x64 05 mswsock.dll File Not found ()
Winsock: Catalog9-x64 06 mswsock.dll File Not found ()
Winsock: Catalog9-x64 07 mswsock.dll File Not found ()
Winsock: Catalog9-x64 08 mswsock.dll File Not found ()
Winsock: Catalog9-x64 09 mswsock.dll File Not found ()
Winsock: Catalog9-x64 10 mswsock.dll File Not found ()
Tcpip\Parameters: [DhcpNameServer] 192.168.232.2
 
Chrome: 
=======
CHR HomePage: hxxp://www.google.com/
CHR RestoreOnStartup: "hxxp://www.google.com/"
CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}sugkey={google:suggestAPIKeyParameter}
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\google\chrome\application\22.0.1229.95\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.95\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.95\pdf.dll ()
CHR Plugin: (Exent\u00AE AOD Gecko Plugin) - C:\Program Files (x86)\Free Ride Games\npExentCtl.dll (Exent Technologies Ltd.)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll No File
CHR Plugin: (RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) ) - C:\Program Files (x86)\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
CHR Plugin: (RealPlayer Download Plugin) - C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpplugin.dll (RealPlayer)
CHR Plugin: (RealNetworks™ RealDownloader Chrome Background Extension Plug-In (32-bit) ) - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
CHR Plugin: (RealNetworks™ RealDownloader HTML5VideoShim Plug-In (32-bit) ) - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
CHR Plugin: (RealNetworks™ RealDownloader PepperFlashVideoShim Plug-In (32-bit) ) - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
CHR Plugin: (RealDownloader Plugin) - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)
CHR Extension: (YouTube) - C:\Users\mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_1
CHR Extension: (Google Search) - C:\Users\mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_1
CHR Extension: () - C:\Users\mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgjkhjdcljddbedokogakmmdjgnbeanf\1.0.0.3
CHR Extension: (Delta Toolbar) - C:\Users\mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\eooncjejnppfjjklapaamhcdmjbilmde\1.4_0
CHR Extension: (Web Cake) - C:\Users\mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\fjoijdanhaiflhibkljeklcghcmmfffh\1.0.3_0
CHR Extension: (RealDownloader) - C:\Users\mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji\1.3.2_0
CHR Extension: (Gmail) - C:\Users\mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1
CHR HKLM-x32\...\Chrome\Extension: [cjkpeelhbaipjkogeledgpkllepmkdmc] - C:\Program Files (x86)\LyricSearch\Chrome.crx
CHR HKLM-x32\...\Chrome\Extension: [dgjkhjdcljddbedokogakmmdjgnbeanf] - C:\Users\mike\AppData\Roaming\SpeedAnalysis2\SpeedAnalysis.crx
CHR HKLM-x32\...\Chrome\Extension: [eooncjejnppfjjklapaamhcdmjbilmde] - C:\Users\mike\AppData\Roaming\BabSolution\CR\Delta.crx
CHR HKLM-x32\...\Chrome\Extension: [fjoijdanhaiflhibkljeklcghcmmfffh] - C:\Program Files (x86)\Betcat\WebCakeLayers.crx
CHR HKLM-x32\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx
 
==================== Services (Whitelisted) =================
 
S2 BackupStack; C:\Program Files (x86)\MyPC Backup\BackupStack.exe [32808 2013-07-01] (Just Develop It)
S2 IBUpdaterService; C:\ProgramData\IBUpdaterService\ibsvc.exe [825376 2013-07-30] ()
R2 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-04-16] ()
R2 WebCakeUpdater; C:\Program Files (x86)\Betcat\WBDesktop.Updater.1.0.0.16.exe [51992 2013-09-04] (cake bake)
S2 BasicServe Service; "C:\Program Files (x86)\BasicServe\basicserve.exe" "C:\Program Files (x86)\BasicServe\basicserve.dll" pininupa yaseyigute
S2 WinHbjkelp32; C:\Program Files\Internet Explorer\WinHjkelp32.exe [x]
U2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{e7801810-69d4-06cd-f2ab-f554a788b2bf}\   \...\???\{e7801810-69d4-06cd-f2ab-f554a788b2bf}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
 
==================== Drivers (Whitelisted) ====================
 
R1 Serial; C:\Windows\System32\DRIVERS\serial.sys [94208 2009-07-14] (Brother Industries Ltd.)
R2 X5XSEx_Pr143; C:\Program Files (x86)\Free Ride Games\X5XSEx_Pr143.Sys [56136 2012-08-02] (Exent Technologies Ltd.)
R2 X5XSEx_Pr143; C:\Program Files (x86)\Free Ride Games\X5XSEx_Pr143.Sys [56136 2012-08-02] (Exent Technologies Ltd.)
U4 vsserv; 
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-10-12 20:25 - 2013-10-12 20:25 - 00000000 ____D C:\FRST
2013-10-12 20:23 - 2013-10-12 20:23 - 01954124 _____ (Farbar) C:\Users\mike\Documents\FRST64.exe
2013-10-12 20:23 - 2013-10-12 20:23 - 01954124 _____ (Farbar) C:\Users\mike\Desktop\FRST64.exe
2013-10-12 17:29 - 2013-10-12 17:29 - 00007161 _____ C:\Users\mike\Desktop\dds.txt
2013-10-12 17:29 - 2013-10-12 17:29 - 00001801 _____ C:\Users\mike\Desktop\attach.txt
2013-10-12 17:27 - 2013-10-12 17:26 - 00688992 ____R (Swearware) C:\Users\mike\Desktop\dds.com
2013-10-12 17:10 - 2013-10-12 17:10 - 00012892 _____ C:\Users\mike\Desktop\Rkill.txt
2013-10-12 17:10 - 2013-10-12 17:10 - 00000000 ____D C:\Users\mike\Desktop\rkill
2013-10-12 17:10 - 2013-10-12 17:09 - 01898112 _____ (Bleeping Computer, LLC) C:\Users\mike\Desktop\rkill.exe
2013-10-12 17:04 - 2013-10-12 17:03 - 00891167 _____ C:\Users\mike\Desktop\SecurityCheck.exe
 
==================== One Month Modified Files and Folders =======
 
2013-10-12 20:25 - 2013-10-12 20:25 - 00000000 ____D C:\FRST
2013-10-12 20:24 - 2013-07-30 18:45 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-10-12 20:23 - 2013-10-12 20:23 - 01954124 _____ (Farbar) C:\Users\mike\Documents\FRST64.exe
2013-10-12 20:23 - 2013-10-12 20:23 - 01954124 _____ (Farbar) C:\Users\mike\Desktop\FRST64.exe
2013-10-12 20:23 - 2013-08-01 21:47 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-10-12 20:23 - 2013-07-30 18:45 - 00000890 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-10-12 20:23 - 2013-07-30 18:30 - 00000394 _____ C:\Windows\Tasks\Lyrics Search Update.job
2013-10-12 17:29 - 2013-10-12 17:29 - 00007161 _____ C:\Users\mike\Desktop\dds.txt
2013-10-12 17:29 - 2013-10-12 17:29 - 00001801 _____ C:\Users\mike\Desktop\attach.txt
2013-10-12 17:26 - 2013-10-12 17:27 - 00688992 ____R (Swearware) C:\Users\mike\Desktop\dds.com
2013-10-12 17:10 - 2013-10-12 17:10 - 00012892 _____ C:\Users\mike\Desktop\Rkill.txt
2013-10-12 17:10 - 2013-10-12 17:10 - 00000000 ____D C:\Users\mike\Desktop\rkill
2013-10-12 17:09 - 2013-10-12 17:10 - 01898112 _____ (Bleeping Computer, LLC) C:\Users\mike\Desktop\rkill.exe
2013-10-12 17:06 - 2013-07-30 18:45 - 00000000 ____D C:\Users\mike\AppData\Roaming\Real
2013-10-12 17:04 - 2013-07-30 19:22 - 00000000 ____D C:\Users\mike\AppData\Roaming\Web Cake
2013-10-12 17:03 - 2013-10-12 17:04 - 00891167 _____ C:\Users\mike\Desktop\SecurityCheck.exe
2013-09-20 20:30 - 2013-07-30 19:22 - 00000282 _____ C:\Windows\Tasks\PC Performer_UPDATES.job
2013-09-20 20:30 - 2013-07-30 18:46 - 00003336 _____ C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-4052971585-2151663972-481585541-1002
2013-09-20 20:30 - 2013-07-30 18:46 - 00003200 _____ C:\Windows\System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-4052971585-2151663972-481585541-1002
2013-09-12 09:48 - 2013-07-30 19:22 - 00003118 _____ C:\Windows\System32\Tasks\PC Performer
2013-09-12 09:48 - 2013-07-30 19:22 - 00000274 _____ C:\Windows\Tasks\PC Performer_DEFAULT.job
2013-09-12 09:47 - 2009-07-14 05:45 - 00016832 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-12 09:47 - 2009-07-14 05:45 - 00016832 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
 
ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini
 
ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini
 
Files to move or delete:
====================
ZeroAccess:
C:\Users\mike\AppData\Local\Google\Desktop\Install
ZeroAccess:
C:\Program Files (x86)\Google\Desktop\Install
 
 
Some content of TEMP:
====================
C:\Users\mike\AppData\Local\Temp\200673.exe
C:\Users\mike\AppData\Local\Temp\200824.exe
C:\Users\mike\AppData\Local\Temp\200826.exe
C:\Users\mike\AppData\Local\Temp\200830.exe
C:\Users\mike\AppData\Local\Temp\200841.exe
C:\Users\mike\AppData\Local\Temp\BackupSetup.exe
C:\Users\mike\AppData\Local\Temp\basicserve_bscsrvgup.exe
C:\Users\mike\AppData\Local\Temp\Fantapper.exe
C:\Users\mike\AppData\Local\Temp\hasfj.exe
C:\Users\mike\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\mike\AppData\Local\Temp\lowproc.exe
C:\Users\mike\AppData\Local\Temp\msimg32.dll
C:\Users\mike\AppData\Local\Temp\OfferBrokerage_14034.exe
C:\Users\mike\AppData\Local\Temp\PreCheckAMWhiteSmoke_118_041713203938.exe
C:\Users\mike\AppData\Local\Temp\PreCheckOfferBrokerageYahoo_041613105257.exe
C:\Users\mike\AppData\Local\Temp\RealPlayer.exe
C:\Users\mike\AppData\Local\Temp\setup__118.exe
C:\Users\mike\AppData\Local\Temp\stubhelper.dll
C:\Users\mike\AppData\Local\Temp\vcredist_x64.exe
C:\Users\mike\AppData\Local\Temp\vcredist_x86.exe
C:\Users\mike\AppData\Local\Temp\zfbttcb.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
 
 
LastRegBack: 2013-10-12 20:25
 
==================== End Of Log ============================
 
I cant get it to attach, it just freezes my pc. Am i doing something wrong?


#5 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:15 AM

Posted 12 October 2013 - 11:41 PM

Please do this next:

icon11.gif   Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it in the same location as FRST (usually your desktop) as fixlist.txt

HKCU\...\Run: [Yfofyl] - C:\Users\mike\AppData\Roaming\Ilobow\yfofyl.exe
HKCU\...\Run: [aa0rab9] - C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-82290\aara9.exe
HKCU\...\Run: [NTRedirect] - C:\Windows\SysWOW64\rundll32.exe  "C:\Users\mike\AppData\Roaming\BabSolution\Shared\enhancedNT.dll",Run
HKCU\...\Run: [WebCake Desktop] - C:\Users\mike\AppData\Roaming\Betcat\WebCakeDesktop.exe [52504 2013-09-04] (Bake Cake)
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKCU\...\Run: [Wuacaq] - C:\Users\mike\AppData\Roaming\Jenue\wuacaq.exe [404480 2013-08-04] (Solutionphrase Inc.)
HKCU\...\Winlogon: [Shell] explorer.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-82290\aara9.exe <==== ATTENTION
R2 WebCakeUpdater; C:\Program Files (x86)\Betcat\WBDesktop.Updater.1.0.0.16.exe [51992 2013-09-04] (cake bake)
S2 WinHbjkelp32; C:\Program Files\Internet Explorer\WinHjkelp32.exe [x]
U2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{e7801810-69d4-06cd-f2ab-f554a788b2bf}\   \...\???\{e7801810-69d4-06cd-f2ab-f554a788b2bf}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Users\mike\AppData\Local\Google\Desktop\Install
C:\Program Files (x86)\Google\Desktop\Install
C:\Users\mike\AppData\Local\Temp\200673.exe
C:\Users\mike\AppData\Local\Temp\200824.exe
C:\Users\mike\AppData\Local\Temp\200826.exe
C:\Users\mike\AppData\Local\Temp\200830.exe
C:\Users\mike\AppData\Local\Temp\200841.exe
C:\Users\mike\AppData\Local\Temp\hasfj.exe
C:\Users\mike\AppData\Local\Temp\zfbttcb.exe
C:\Users\mike\AppData\Roaming\Ilobow\yfofyl.exe
C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-82290\aara9.exe
C:\Users\mike\AppData\Roaming\BabSolution\Shared\enhancedNT.dll
C:\Users\mike\AppData\Roaming\Betcat\WebCakeDesktop.exe
C:\Users\mike\AppData\Roaming\Jenue\wuacaq.exe
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now run FRST again.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) please post it to your reply.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#6 totalnoob23

totalnoob23
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 13 October 2013 - 05:10 AM

  Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-10-2013

Ran by Mike at 2013-10-13 10:53:16 Run:1
Running from C:\Users\Mike\Documents
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
HKCU\...\Run: [Yfofyl] - C:\Users\mike\AppData\Roaming\Ilobow\yfofyl.exe
HKCU\...\Run: [aa0rab9] - C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-82290\aara9.exe
HKCU\...\Run: [NTRedirect] - C:\Windows\SysWOW64\rundll32.exe  "C:\Users\mike\AppData\Roaming\BabSolution\Shared\enhancedNT.dll",Run
HKCU\...\Run: [WebCake Desktop] - C:\Users\mike\AppData\Roaming\Betcat\WebCakeDesktop.exe [52504 2013-09-04] (Bake Cake)
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKCU\...\Run: [Wuacaq] - C:\Users\mike\AppData\Roaming\Jenue\wuacaq.exe [404480 2013-08-04] (Solutionphrase Inc.)
HKCU\...\Winlogon: [Shell] explorer.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-82290\aara9.exe <==== ATTENTION
R2 WebCakeUpdater; C:\Program Files (x86)\Betcat\WBDesktop.Updater.1.0.0.16.exe [51992 2013-09-04] (cake bake)
S2 WinHbjkelp32; C:\Program Files\Internet Explorer\WinHjkelp32.exe [x]
U2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{e7801810-69d4-06cd-f2ab-f554a788b2bf}\   \...\???\{e7801810-69d4-06cd-f2ab-f554a788b2bf}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Users\mike\AppData\Local\Google\Desktop\Install
C:\Program Files (x86)\Google\Desktop\Install
C:\Users\mike\AppData\Local\Temp\200673.exe
C:\Users\mike\AppData\Local\Temp\200824.exe
C:\Users\mike\AppData\Local\Temp\200826.exe
C:\Users\mike\AppData\Local\Temp\200830.exe
C:\Users\mike\AppData\Local\Temp\200841.exe
C:\Users\mike\AppData\Local\Temp\hasfj.exe
C:\Users\mike\AppData\Local\Temp\zfbttcb.exe
C:\Users\mike\AppData\Roaming\Ilobow\yfofyl.exe
C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-82290\aara9.exe
C:\Users\mike\AppData\Roaming\BabSolution\Shared\enhancedNT.dll
C:\Users\mike\AppData\Roaming\Betcat\WebCakeDesktop.exe
C:\Users\mike\AppData\Roaming\Jenue\wuacaq.exe
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
*****************
 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Yfofyl => Value deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\aa0rab9 => Value deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\NTRedirect => Value deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\WebCake Desktop => Value deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Wuacaq => Value deleted successfully.
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
WebCakeUpdater => Service deleted successfully.
WinHbjkelp32 => Service deleted successfully.
*etadpug => Service deleted successfully.
C:\Windows\assembly\GAC_32\Desktop.ini => Moved successfully.
Could not move "C:\Windows\assembly\GAC_64\Desktop.ini" => Scheduled to move on reboot.
"C:\Users\mike\AppData\Local\Google\Desktop\Install" => Moved successfully.
 
"C:\Program Files (x86)\Google\Desktop\Install" directory move:
 
Could not move "C:\Program Files (x86)\Google\Desktop\Install" directory. => Scheduled to move on reboot.
 
"C:\Users\mike\AppData\Local\Temp\200673.exe" => Moved successfully.
"C:\Users\mike\AppData\Local\Temp\200824.exe" => Moved successfully.
"C:\Users\mike\AppData\Local\Temp\200826.exe" => Moved successfully.
"C:\Users\mike\AppData\Local\Temp\200830.exe" => Moved successfully.
"C:\Users\mike\AppData\Local\Temp\200841.exe" => Moved successfully.
"C:\Users\mike\AppData\Local\Temp\hasfj.exe" => Moved successfully.
"C:\Users\mike\AppData\Local\Temp\zfbttcb.exe" => Moved successfully.
"C:\Users\mike\AppData\Roaming\Ilobow\yfofyl.exe" => Moved successfully.
"C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-82290\aara9.exe" => Moved successfully.
"C:\Users\mike\AppData\Roaming\BabSolution\Shared\enhancedNT.dll" => Moved successfully.
"C:\Users\mike\AppData\Roaming\Betcat\WebCakeDesktop.exe" => Moved successfully.
"C:\Users\mike\AppData\Roaming\Jenue\wuacaq.exe" => Moved successfully.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
"C:\Program Files\Windows Defender\en-US" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpAsDesc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpClient.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCmdRun.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCommu.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpEvMsg.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpOAV.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpRTP.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSvc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MSASCui.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpCom.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpLics.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.
 
=========== Result of Scheduled Files to move ===========
 
C:\Windows\assembly\GAC_64\Desktop.ini => Moved successfully.
C:\Program Files (x86)\Google\Desktop\Install => Moved successfully.
 
==== End of Fixlog ====


#7 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:15 AM

Posted 13 October 2013 - 10:38 AM

icon11.gif  Download Combofix from HERE, and save it to your desktop.  

**Note:  It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

  • If you have trouble, stop and post back.  Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Note: If after running ComboFix you receive a message stating, "Illegal Operation Attempted on a registry key that has been marked for deletion" rebooting your computer will resolve the problem.

Please include the following in your next post:
  • ComboFix log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:15 AM

Posted 26 October 2013 - 09:30 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users