Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Somoto, Win32/Genetik trojan, etc - Computer slow, had WhiteSmoke search


  • Please log in to reply
27 replies to this topic

#1 thelmarie

thelmarie

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 13 October 2013 - 10:40 AM

Hello

 

Acer Laptop running XP, all programs up to date, all updates done.

 

My son uses this laptop for school and had been complaining about how slow it has been for a couple of weeks. So with the long weekend I took a look at it.

 

The firefox search bar had WhiteSmoke as a search engine - I think I fixed that one.

Using Internet Explorer with google as the default would bring up all results in Bing - that seems to have been fixed.

Pop ups were happening - that seems to be gone.

Computer was slow and sometimes non responsive.

 

I have run Malware bites (removed lots), ESET (removed some), Super Anti Spyware (removed some), Spybot search and destroy (removed ten items including Somoto on reboot), Panda Cloud Scan (removed some, couldn't or didn't remove others), Trend's rootkit (removed one) and Avira (which removed 5 including Tr/Crypt.XPACK.Gen5 on October 11 however Tr/Crypt.XPACK.Gen5 was detected again last night and removed to quarantine).

 

Computer is still slow (better but slow).

 

I decided to defrag it and noticed this entry which looks wierd  -  \WINDOWS\SYSTEM32\쿛蕗唤7

 

So any help would be appreciated.

 

Thanks for your assistance and time.

 

Thelma



BC AdBot (Login to Remove)

 


#2 hbyton

hbyton

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:09:43 PM

Posted 13 October 2013 - 10:45 AM

Can you post the scan logs of malwarebytes so everybody can see exactly what was removed?



#3 thelmarie

thelmarie
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 13 October 2013 - 11:13 AM

Hello and thanks for your time

 

Here is the Malwarebytes Log that includes the detections

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.10.06

Windows XP Service Pack 3 x86 FAT32
Internet Explorer 8.0.6001.18702
Thelma Hartman :: ACER-1424F82190 [administrator]

10/10/2013 6:41:00 PM
mbam-log-2013-10-10 (18-41-00).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 293945
Time elapsed: 1 hour(s), 38 minute(s), 52 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 7
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{3444C3C5-6C56-4A16-A453-832B05BF6EA4} (PUP.Optional.MoviesToolBar.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3444C3C5-6C56-4A16-A453-832B05BF6EA4} (PUP.Optional.MoviesToolBar.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3444C3C5-6C56-4A16-A453-832B05BF6EA4} (PUP.Optional.MoviesToolBar.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CF190686-9E72-403C-B99D-682ABDB63C5B} (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
HKCU\Software\ConduitSearchScopes (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\BI (PUP.Optional.FilesFrog.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\DATAMNGR (PUP.Optional.MoviesToolbar.A) -> Quarantined and deleted successfully.

Registry Values Detected: 2
HKCU\Software\BI|ui_path_filesfrog (PUP.Optional.FilesFrog.A) -> Data: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FilesFrog Update Checker -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Datamngr|uninstallstring (PUP.Optional.MoviesToolbar.A) -> Data: C:\Program Files\Movies Toolbar\SafetyNut\uninstall.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 5
C:\Documents and Settings\Thelma Hartman\My Documents\Optimizer Pro (PUP.Optional.OptimizerPro.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\ct3300197 (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\ct3300197\xpi (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\ct3300197\xpi\defaults (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\ct3300197\xpi\defaults\preferences (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

Files Detected: 53
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\OptimizerPro.exe (PUP.Optional.OptimizePro.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\UpdateCheckerSetup.exe (PUP.Optional.Somoto.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\MoviesToolbarSetup_Somoto.exe (PUP.Optional.MoviesToolBar.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\SPStub.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\Optimizer_Pro.exe (PUP.Optional.1ClickDownload.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\appshat-distribution.exe (PUP.Optional.Somoto.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\setup__1811.exe (PUP.Optional.Amonetize.AS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\Toparcadehits.exe (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\ConduitInstaller.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\dlLogic.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\nsj69.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\nsc6E.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\ToolbarHelper.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\nsuB3B2.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\nsvA\nsoE.tmp\pack.exe (PUP.Optional.SafetyNut.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\nsvA\nsoE.tmp\ffExtension.exe (PUP.Optional.SafetyNut.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\nsvA\nsoE.tmp\mediabar.exe (PUP.Optional.MoviesToolBar.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\nsvA\nsoE.tmp\MoviesToolbarMediaBar.exe (PUP.Optional.MoviesToolBar.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\ct3300197\ctbe.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\ct3300197\fflogic.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\ct3300197\ielogic.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\ct3300197\statisticsStub.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{840F8D40-D2B2-4CA1-A56C-AE9B7E3B083F}\RP105\A0024409.exe (PUP.Optional.SafetyNut.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{840F8D40-D2B2-4CA1-A56C-AE9B7E3B083F}\RP105\A0024410.dll (PUP.Optional.SafetyNut.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{840F8D40-D2B2-4CA1-A56C-AE9B7E3B083F}\RP105\A0024412.dll (PUP.Optional.SafetyNut.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{840F8D40-D2B2-4CA1-A56C-AE9B7E3B083F}\RP105\A0024423.dll (PUP.Optional.MiniBar.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{840F8D40-D2B2-4CA1-A56C-AE9B7E3B083F}\RP105\A0024428.exe (PUP.Optional.SafetyNut.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{840F8D40-D2B2-4CA1-A56C-AE9B7E3B083F}\RP105\A0024431.exe (Adware.GameVance) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{840F8D40-D2B2-4CA1-A56C-AE9B7E3B083F}\RP105\A0024432.exe (Adware.GameVance) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{840F8D40-D2B2-4CA1-A56C-AE9B7E3B083F}\RP106\A0026096.dll (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{840F8D40-D2B2-4CA1-A56C-AE9B7E3B083F}\RP106\A0026097.dll (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{840F8D40-D2B2-4CA1-A56C-AE9B7E3B083F}\RP106\A0026098.dll (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{840F8D40-D2B2-4CA1-A56C-AE9B7E3B083F}\RP106\A0026099.EXE (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{840F8D40-D2B2-4CA1-A56C-AE9B7E3B083F}\RP106\A0026100.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{840F8D40-D2B2-4CA1-A56C-AE9B7E3B083F}\RP106\A0026101.dll (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{840F8D40-D2B2-4CA1-A56C-AE9B7E3B083F}\RP106\A0026102.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{840F8D40-D2B2-4CA1-A56C-AE9B7E3B083F}\RP106\A0026105.dll (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{840F8D40-D2B2-4CA1-A56C-AE9B7E3B083F}\RP106\A0026106.dll (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{840F8D40-D2B2-4CA1-A56C-AE9B7E3B083F}\RP106\A0026107.dll (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{840F8D40-D2B2-4CA1-A56C-AE9B7E3B083F}\RP106\A0026108.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{840F8D40-D2B2-4CA1-A56C-AE9B7E3B083F}\RP106\A0026109.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{840F8D40-D2B2-4CA1-A56C-AE9B7E3B083F}\RP106\A0026110.dll (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{840F8D40-D2B2-4CA1-A56C-AE9B7E3B083F}\RP106\A0026111.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{840F8D40-D2B2-4CA1-A56C-AE9B7E3B083F}\RP106\A0026114.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{840F8D40-D2B2-4CA1-A56C-AE9B7E3B083F}\RP107\A0027152.exe (PUP.Optional.Somoto.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\My Documents\Optimizer Pro\CookiesException.txt (PUP.Optional.OptimizerPro.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\ct3300197\setup.ini.txt (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\ct3300197\chromeid.txt (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\ct3300197\CT3300197.xpi (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\ct3300197\conduit.xml (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\ct3300197\version.txt (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\ct3300197\xpi\install.rdf (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Thelma Hartman\Local Settings\Temp\ct3300197\xpi\defaults\preferences\defaults.js (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

(end)
 



#4 hbyton

hbyton

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:09:43 PM

Posted 13 October 2013 - 12:21 PM

Okay, most of the files detected were PUPs (potentially unwanted programs) 

 

These two programs are especially designed to remove this type of infection, please run them.

 

Adwcleaner, press scan. Once the scan has completed, press delite.

http://www.bleepingcomputer.com/download/adwcleaner/

 

 

Junkware removal tool

http://www.bleepingcomputer.com/download/junkware-removal-tool/

 

You should also run a scan with rkill

 

http://www.bleepingcomputer.com/download/rkill/

 

all of these programs will create a log when finished, please post them in to your next post.


Edited by hbyton, 13 October 2013 - 12:26 PM.


#5 thelmarie

thelmarie
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 13 October 2013 - 12:41 PM

Hello Hbyton

 

I am starting that now and will post as soon as I finish up the scans

 

Thanks



#6 thelmarie

thelmarie
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 13 October 2013 - 12:48 PM

Here is the log from ADWcleaner - question, when you say delite what action should that be - just to close the program with no further action?

 

# AdwCleaner v3.007 - Report created 13/10/2013 at 11:42:39
# Updated 09/10/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Thelma Hartman - ACER-1424F82190
# Running from : C:\Documents and Settings\Thelma Hartman\My Documents\Downloads\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

File Found : C:\Documents and Settings\Thelma Hartman\Application Data\Mozilla\Firefox\Profiles\v0sn9yqf.default\searchplugins\Ask.xml
Folder Found C:\Program Files\Conduit

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Found : HKCU\Software\smartbar
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\SOFTWARE\Classes\CLSID\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3300197
Key Found : HKLM\Software\Conduit
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\bi_uninstaller
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SearchProtect
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Key Found : HKLM\SOFTWARE\MozillaPlugins\@checkpoint.com/FFApi
Value Found : HKLM\SYSTEM\ControlSet002\Control\Session Manager\AppCertDlls [x64]
Value Found : HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls [x64]

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v24.0 (en-US)

[ File : C:\Documents and Settings\Thelma Hartman\Application Data\Mozilla\Firefox\Profiles\v0sn9yqf.default\prefs.js ]


-\\ Google Chrome v30.0.1599.69

[ File : C:\Documents and Settings\Thelma Hartman\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [2504 octets] - [13/10/2013 11:42:39]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [2564 octets] ##########
 



#7 hbyton

hbyton

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:09:43 PM

Posted 13 October 2013 - 12:52 PM

When the scan has finished press the delete button. 

 

It will be just next to the search button, after it has finished you may close the program.



#8 thelmarie

thelmarie
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 13 October 2013 - 01:06 PM

Hello

 

Re: ADWcleaner  The progress bar seems to not responding (of course it could be just a slow process) and the script above it says "Pending. Please uncheck elements you don't want to remove."

 

Let it keep churning away? Move onto the next link?

 

Thanks so very much



#9 thelmarie

thelmarie
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 13 October 2013 - 01:09 PM

further to the above there is no search button or delete button as of yet ...?



#10 hbyton

hbyton

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:09:43 PM

Posted 13 October 2013 - 01:16 PM

 Leave it for a few minutes, if it is still not progressing then close it and move on to the next step.


Edited by hbyton, 13 October 2013 - 01:23 PM.


#11 thelmarie

thelmarie
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 13 October 2013 - 01:58 PM

here is the JRT log  - will run the last one

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.4 (10.06.2013:1)
OS: Microsoft Windows XP x86
Ran by Thelma Hartman on Sun 10/13/2013 at 12:34:09.73
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ FireFox

Successfully deleted: [File] C:\Documents and Settings\Thelma Hartman\Application Data\mozilla\firefox\profiles\v0sn9yqf.default\searchplugins\ask.xml





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 10/13/2013 at 12:55:53.46
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 



#12 thelmarie

thelmarie
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 13 October 2013 - 02:03 PM

And here is the last log from rkill

 

Rkill 2.6.1 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 10/13/2013 12:59:44 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\WINDOWS\BisonCam\BsMnt.exe (PID: 2816) [WD-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * HidServ =>  %SystemRoot%\System32\hidserv.dll [Incorrect ServiceDLL]

Searching for Missing Digital Signatures:

 * C:\WINDOWS\System32\drivers\mqac.sys : 91,776 : 06/22/2009 05:48 AM : eee50bf24caeedb515a8f3b22756d3bb [NoSig]
 +-> C:\WINDOWS\system32\dllcache\mqac.sys : 91,776 : 06/22/2009 05:48 AM : eee50bf24caeedb515a8f3b22756d3bb [Pos Repl]
 +-> C:\WINDOWS\$hf_mig$\KB971032\SP2QFE\mqac.sys : 91,776 : 06/22/2009 05:30 AM : 9229e191fe206628be17d1e67a5faed9 [Pos Repl]
 +-> C:\WINDOWS\$NtUninstallKB971032$\mqac.sys : 72,960 : 08/10/2004 08:00 PM : db07b0088cdfd20c2a22e675120ede34 [Pos Repl]
 +-> C:\WINDOWS\ServicePackFiles\i386\mqac.sys : 92,544 : 04/13/2008 12:39 AM : 70c14f5cca5cf73f8a645c73a01d8726 [Pos Repl]

Checking HOSTS File:

 * Cannot edit the HOSTS file.
 * Permissions could not be fixed. Use Hosts-perm.bat to fix permissions: http://www.bleepingcomputer.com/download/hosts-permbat/

 * HOSTS file entries found:

  127.0.0.1       localhost
  127.0.0.1    www.007guard.com
  127.0.0.1    007guard.com
  127.0.0.1    008i.com
  127.0.0.1    www.008k.com
  127.0.0.1    008k.com
  127.0.0.1    www.00hq.com
  127.0.0.1    00hq.com
  127.0.0.1    010402.com
  127.0.0.1    www.032439.com
  127.0.0.1    032439.com
  127.0.0.1    www.0scan.com
  127.0.0.1    0scan.com
  127.0.0.1    1000gratisproben.com
  127.0.0.1    www.1000gratisproben.com
  127.0.0.1    1001namen.com
  127.0.0.1    www.1001namen.com
  127.0.0.1    100888290cs.com
  127.0.0.1    www.100888290cs.com
  127.0.0.1    www.100sexlinks.com

  20 out of 14660 HOSTS entries shown.
  Please review HOSTS file for further entries.

Program finished at: 10/13/2013 01:01:22 PM
Execution time: 0 hours(s), 1 minute(s), and 38 seconds(s)
 

 

Thanks



#13 hbyton

hbyton

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:09:43 PM

Posted 13 October 2013 - 02:16 PM

Your hosts file has been modified, please run this tool to fix it

 

Run this file to reset permissions

http://www.bleepingcomputer.com/download/hosts-permbat/

 

Then run this tool to reset your hosts file

http://www.majorgeeks.com/mg/getmirror/tweaking_com_repair_hosts_file,1.html

 

 

You should also check to make sure that no rootkits are present on the system

 

malwarebytes antirootkit

http://www.bleepingcomputer.com/download/malwarebytes-anti-rootkit/

 

tdss killer

http://www.bleepingcomputer.com/download/tdsskiller/

 

After you have ran these tools try and run adwcleaner again, if it works then great we can move on to the next step and start tuning it up to increase the speed, if not then its probably best that we wait for a mod or somebody from the malware response team to com and assist as there may be something else going on :)


Edited by hbyton, 13 October 2013 - 02:33 PM.


#14 thelmarie

thelmarie
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 13 October 2013 - 02:54 PM

Thanks hbyton

 

running the one from MajorGeeks (after I realized that I had to shut down Avira because it was blocking the host file). I will keep you updated  :thumbup2:



#15 thelmarie

thelmarie
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 13 October 2013 - 03:06 PM

just me again

 

so I can't decide if the MajorGeeks Program is finished or not. This is the message:

 

Log:
Repair Hosts File
   Start (10/13/2013 1:49:05 PM)
   Running Repair Under System Account
   Done (10/13/2013 1:49:14 PM)

   Total Repair Time: 00:00:09

 

But on the right side of the display the Status remains empty and progress bar remains grey and there is a Stop button.

 

So is it finished or frozen or still doing it's job?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users