Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus attached to external harddrive infected computer


  • Please log in to reply
16 replies to this topic

#1 Ziggy28104

Ziggy28104

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 23 November 2013 - 10:40 AM

Recently a friend of mine asked to take some movies off of my external harddrive, when he returned it to me I noticed an"internet explorer" icon on my desktop, over time several other foreign icons appeared on my desktop. I tried to locate the source and it seems to be inside my internetexplorer.exe, but it will not let me delete it or give myself permission to delete. Only the "trustedinstaller". As I said, I am unable to give myself or change permission. It has also blocked me from being able to condut a system restore.

 

Also, in my external harddrive from time to time a tempoary file pops up, but after several seconds will again hide itself, then later reappear under a different name. I also did an AVG scan which deleted all of my pictures, music, and movies from my external harddrive. Horrified, I quickly recovered the files, although AVG still detects these files to be infected.  I am now moving the files from my external hardrive to my laptop to format and restore my external harddrive. I do think that the files will still be infected either way.

 

Any help in this matter will be greatly appreciated, I dont know really what else to do short of wiping everything clean. I would prefer not to lose all my pictures if possible. They hold great value to me.

 

Attached are 2 photos, the first is of the desktop icons and the second is of the temp file which shows in my external harddrive and now the folder when I moved the files to my laptop.

 

Thank you for your time and help.

 

 

Attached File  Untitled.png   132.41KB   0 downloads

 

Attached File  virus.png   11.64KB   0 downloads



BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:47 PM

Posted 23 November 2013 - 01:02 PM

:welcome: to BC forums!


Please do the following


:step1: Please click on the Windows 7 Start button and then on Control Panel
In Control Panel, select the Folder Options link.
Click on the View tab in the Folder Options window.

In the Advanced settings: area, locate the Hidden files and folders category.
Check: Show hidden files, folders, and drives
Uncheck: Hide protected operating system files (Recommended)
Click Apply and OK at the bottom of the Folder Options window.


:step2: Next, download UsbFix:
http://www.en.usbfix.net
Save to the Desktop.

>> In the next step, a window requesting the connection of removable drives appears. Please connect the problem USB drive when requested!

Right-click the downloaded USBFix file and select: Run as Administrator
Press: Research
This option scans the connected drives, and reports its infected Files and Folders
When done, the program closes on its own, and a report appears.
(The report file is also found at C:\UsbFix.txt)

>> Please post the UsbFix.txt (Research) report in your reply.

:step3: Once again, run USBFix as Administrator, but, this time, press: Listing
It creates a report of all the Folders and Files found at the root of every hard drive, partition, or removable drive connected.

>> Also post the UsbFix.txt (Listing) report in your reply.

Note 1: If USBFix does not run in normal Windows, please run in Safe Mode:
Restart your computer.
When the computer starts, tap the F8 key on the keyboard repeatedly until presented with the Advanced Boot Options menu
Using the arrow keys, select: Safe Mode
Press the Enter key on your keyboard to boot into the selected mode.

Note 2: If your AntiVirus program detects USB as malware, either let the AV program allow USBFix to run, or, temporarily disable your AntiVirus program:
Info - http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
When done with USBFix, re-enable your AV!


:step4: Last, please download the Farbar Recovery Scan Tool
Download: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/
Select the version that applies to your system.
Save it to your Desktop.

Double-click the downloaded file to run it.
When the tool opens click Yes to the disclaimer.
Press the Scan button.
The tool makes a log (FRST.txt) in the same directory from which the tool is run (Desktop).

>> Please provide the FRST.txt in your reply.

The first time the tool is run, it also makes another log: Addition.txt
>> Also post the Addition.txt in your reply.

Old duck...


#3 Ziggy28104

Ziggy28104
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 24 November 2013 - 12:00 AM

Thank you so much for your response!

 

Attached I have the .txt files you requested. Thank you for your help!

 

Attached File  UsbFix Scan 1 Research.txt   25.76KB   9 downloads

Attached File  UsbFix Listing 1 USERSMI-BOSG9F2.txt   2.97KB   5 downloads

Attached File  FRST.txt   25.38KB   20 downloads

Attached File  Addition.txt   10.13KB   3 downloads



#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:47 PM

Posted 24 November 2013 - 12:38 PM

Please open notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the code box below to Notepad.
Save it to the Desktop, and name it: fixlist.txt

start
HKLM\...\Run: [d5602d55] - C:\Windows\System32\jyBRWl1\H3owNTL.exe [95059 2011-06-23] ()
HKLM\...\Run: [5602d55a] - C:\Windows\System32\H3owNTL\jyBRWl1.exe [95059 2011-06-23] ()
HKLM\...\Runonce: [] - [x]
IMEO\360rp.exe: [Debugger] ntsd -d
IMEO\360rps.exe: [Debugger] ntsd -d
IMEO\360rpt.exe: [Debugger] ntsd -d
IMEO\360Safe.exe: [Debugger] ntsd -d
IMEO\360safebox.exe: [Debugger] ntsd -d
IMEO\360sd.exe: [Debugger] ntsd -d
IMEO\360sdrun.exe: [Debugger] ntsd -d
IMEO\360speedld.exe: [Debugger] ntsd -d
IMEO\360tray.exe: [Debugger] ntsd -d
IMEO\799d.exe: [Debugger] ntsd -d
IMEO\adam.exe: [Debugger] ntsd -d
IMEO\AgentSvr.exe: [Debugger] ntsd -d
IMEO\AntiU.exe: [Debugger] ntsd -d
IMEO\AoYun.exe: [Debugger] ntsd -d
IMEO\appdllman.exe: [Debugger] ntsd -d
IMEO\AppSvc32.exe: [Debugger] ntsd -d
IMEO\ArSwp.exe: [Debugger] ntsd -d
IMEO\ArSwp2.exe: [Debugger] ntsd -d
IMEO\ArSwp3.exe: [Debugger] ntsd -d
IMEO\AST.exe: [Debugger] ntsd -d
IMEO\atpup.exe: [Debugger] ntsd -d
IMEO\auto.exe: [Debugger] ntsd -d
IMEO\AutoRun.exe: [Debugger] ntsd -d
IMEO\autoruns.exe: [Debugger] ntsd -d
IMEO\av.exe: [Debugger] ntsd -d
IMEO\AvastU3.exe: [Debugger] ntsd -d
IMEO\avconsol.exe: [Debugger] ntsd -d
IMEO\avgrssvc.exe: [Debugger] ntsd -d
IMEO\AvMonitor.exe: [Debugger] ntsd -d
IMEO\avp.com: [Debugger] ntsd -d
IMEO\avp.exe: [Debugger] ntsd -d
IMEO\AvU3Launcher.exe: [Debugger] ntsd -d
IMEO\CCenter.exe: [Debugger] ntsd -d
IMEO\ccSvcHst.exe: [Debugger] ntsd -d
IMEO\cross.exe: [Debugger] ntsd -d
IMEO\Discovery.exe: [Debugger] ntsd -d
IMEO\DSMain.exe: [Debugger] ntsd -d
IMEO\EGHOST.exe: [Debugger] ntsd -d
IMEO\FileDsty.exe: [Debugger] ntsd -d
IMEO\filmst.exe: [Debugger] ntsd -d
IMEO\FTCleanerShell.exe: [Debugger] ntsd -d
IMEO\FYFireWall.exe: [Debugger] ntsd -d
IMEO\ghost.exe: [Debugger] ntsd -d
IMEO\guangd.exe: [Debugger] ntsd -d
IMEO\HijackThis.exe: [Debugger] ntsd -d
IMEO\IceSword.exe: [Debugger] ntsd -d
IMEO\iparmo.exe: [Debugger] ntsd -d
IMEO\Iparmor.exe: [Debugger] ntsd -d
IMEO\irsetup.exe: [Debugger] ntsd -d
IMEO\isPwdSvc.exe: [Debugger] ntsd -d
IMEO\jisu.exe: [Debugger] ntsd -d
IMEO\kabaload.exe: [Debugger] ntsd -d
IMEO\KaScrScn.SCR: [Debugger] ntsd -d
IMEO\KASMain.exe: [Debugger] ntsd -d
IMEO\KASTask.exe: [Debugger] ntsd -d
IMEO\KAV32.exe: [Debugger] ntsd -d
IMEO\KAVDX.exe: [Debugger] ntsd -d
IMEO\KAVPF.exe: [Debugger] ntsd -d
IMEO\KAVPFW.exe: [Debugger] ntsd -d
IMEO\KAVSetup.exe: [Debugger] ntsd -d
IMEO\kavstart.exe: [Debugger] ntsd -d
IMEO\kernelwind32.exe: [Debugger] ntsd -d
IMEO\KISLnchr.exe: [Debugger] ntsd -d
IMEO\kissvc.exe: [Debugger] ntsd -d
IMEO\KMailMon.exe: [Debugger] ntsd -d
IMEO\KMFilter.exe: [Debugger] ntsd -d
IMEO\knsd.exe: [Debugger] ntsd -d
IMEO\knsdave.exe: [Debugger] ntsd -d
IMEO\knsdtray.exe: [Debugger] ntsd -d
IMEO\KPFW32.exe: [Debugger] ntsd -d
IMEO\KPFW32X.exe: [Debugger] ntsd -d
IMEO\KPfwSvc.exe: [Debugger] ntsd -d
IMEO\KRegEx.exe: [Debugger] ntsd -d
IMEO\KRepair.com: [Debugger] ntsd -d
IMEO\ksafe.exe: [Debugger] ntsd -d
IMEO\ksafesvc.exe: [Debugger] ntsd -d
IMEO\ksafetray.exe: [Debugger] ntsd -d
IMEO\KsLoader.exe: [Debugger] ntsd -d
IMEO\KSWebShield.exe: [Debugger] ntsd -d
IMEO\KVCenter.kxp: [Debugger] ntsd -d
IMEO\KvDetect.exe: [Debugger] ntsd -d
IMEO\KvfwMcl.exe: [Debugger] ntsd -d
IMEO\KVMonXP.kxp: [Debugger] ntsd -d
IMEO\KVMonXP_1.kxp: [Debugger] ntsd -d
IMEO\kvol.exe: [Debugger] ntsd -d
IMEO\kvolself.exe: [Debugger] ntsd -d
IMEO\KvReport.kxp: [Debugger] ntsd -d
IMEO\KVScan.kxp: [Debugger] ntsd -d
IMEO\KVSrvXP.exe: [Debugger] ntsd -d
IMEO\KVStub.kxp: [Debugger] ntsd -d
IMEO\kvupload.exe: [Debugger] ntsd -d
IMEO\kvwsc.exe: [Debugger] ntsd -d
IMEO\KvXP.kxp: [Debugger] ntsd -d
IMEO\KvXP_1.kxp: [Debugger] ntsd -d
IMEO\KWatch.exe: [Debugger] ntsd -d
IMEO\KWatch9x.exe: [Debugger] ntsd -d
IMEO\KWatchX.exe: [Debugger] ntsd -d
IMEO\KWSMain.exe: [Debugger] ntsd -d
IMEO\kwstray.exe: [Debugger] ntsd -d
IMEO\KWSUpd.exe: [Debugger] ntsd -d
IMEO\loaddll.exe: [Debugger] ntsd -d
IMEO\logogo.exe: [Debugger] ntsd -d
IMEO\MagicSet.exe: [Debugger] ntsd -d
IMEO\mcconsol.exe: [Debugger] ntsd -d
IMEO\mmqczj.exe: [Debugger] ntsd -d
IMEO\mmsk.exe: [Debugger] ntsd -d
IMEO\Navapsvc.exe: [Debugger] ntsd -d
IMEO\Navapw32.exe: [Debugger] ntsd -d
IMEO\NAVSetup.exe: [Debugger] ntsd -d
IMEO\niu.exe: [Debugger] ntsd -d
IMEO\nod32.exe: [Debugger] ntsd -d
IMEO\nod32krn.exe: [Debugger] ntsd -d
IMEO\nod32kui.exe: [Debugger] ntsd -d
IMEO\NPFMntor.exe: [Debugger] ntsd -d
IMEO\pagefile.exe: [Debugger] ntsd -d
IMEO\pagefile.pif: [Debugger] ntsd -d
IMEO\pfserver.exe: [Debugger] ntsd -d
IMEO\PFW.exe: [Debugger] ntsd -d
IMEO\PFWLiveUpdate.exe: [Debugger] ntsd -d
IMEO\qheart.exe: [Debugger] ntsd -d
IMEO\QHSET.exe: [Debugger] ntsd -d
IMEO\QQDoctor.exe: [Debugger] ntsd -d
IMEO\QQDoctorMain.exe: [Debugger] ntsd -d
IMEO\QQDoctorRtp.exe: [Debugger] ntsd -d
IMEO\QQKav.exe: [Debugger] ntsd -d
IMEO\QQPCMgr.exe: [Debugger] ntsd -d
IMEO\QQPCRTP.exe: [Debugger] ntsd -d
IMEO\QQPCSmashFile.exe: [Debugger] ntsd -d
IMEO\QQPCTAVSrv.exe: [Debugger] ntsd -d
IMEO\QQPCTray.exe: [Debugger] ntsd -d
IMEO\qqpcupdateavlib.exe: [Debugger] ntsd -d
IMEO\QQSC.exe: [Debugger] ntsd -d
IMEO\qsetup.exe: [Debugger] ntsd -d
IMEO\Ras.exe: [Debugger] ntsd -d
IMEO\Rav.exe: [Debugger] ntsd -d
IMEO\ravcopy.exe: [Debugger] ntsd -d
IMEO\RavMon.exe: [Debugger] ntsd -d
IMEO\RavMonD.exe: [Debugger] ntsd -d
IMEO\RavStub.exe: [Debugger] ntsd -d
IMEO\RavTask.exe: [Debugger] ntsd -d
IMEO\RegClean.exe: [Debugger] ntsd -d
IMEO\rfwcfg.exe: [Debugger] ntsd -d
IMEO\rfwmain.exe: [Debugger] ntsd -d
IMEO\rfwProxy.exe: [Debugger] ntsd -d
IMEO\rfwsrv.exe: [Debugger] ntsd -d
IMEO\RsAgent.exe: [Debugger] ntsd -d
IMEO\Rsaupd.exe: [Debugger] ntsd -d
IMEO\rsnetsvr.exe: [Debugger] ntsd -d
IMEO\RsTray.exe: [Debugger] ntsd -d
IMEO\rstrui.exe: [Debugger] ntsd -d
IMEO\runiep.exe: [Debugger] ntsd -d
IMEO\sadu.exe: [Debugger] ntsd -d
IMEO\safeboxTray.exe: [Debugger] ntsd -d
IMEO\safelive.exe: [Debugger] ntsd -d
IMEO\scan32.exe: [Debugger] ntsd -d
IMEO\ScanFrm.exe: [Debugger] ntsd -d
IMEO\ScanU3.exe: [Debugger] ntsd -d
IMEO\SDGames.exe: [Debugger] ntsd -d
IMEO\SelfUpdate.exe: [Debugger] ntsd -d
IMEO\servet.exe: [Debugger] ntsd -d
IMEO\shcfg32.exe: [Debugger] ntsd -d
IMEO\SmartUp.exe: [Debugger] ntsd -d
IMEO\sos.exe: [Debugger] ntsd -d
IMEO\SREng.EXE: [Debugger] ntsd -d
IMEO\SREngPS.EXE: [Debugger] ntsd -d
IMEO\stormii.exe: [Debugger] ntsd -d
IMEO\sxgame.exe: [Debugger] ntsd -d
IMEO\symlcsvc.exe: [Debugger] ntsd -d
IMEO\SysSafe.exe: [Debugger] ntsd -d
IMEO\tencentdl.exe: [Debugger] ntsd -d
IMEO\tmp.exe: [Debugger] ntsd -d
IMEO\TNT.Exe: [Debugger] ntsd -d
IMEO\TrojanDetector.exe: [Debugger] ntsd -d
IMEO\Trojanwall.exe: [Debugger] ntsd -d
IMEO\TrojDie.kxp: [Debugger] ntsd -d
IMEO\TSVulFWMan.exe: [Debugger] ntsd -d
IMEO\TxoMoU.Exe: [Debugger] ntsd -d
IMEO\UFO.exe: [Debugger] ntsd -d
IMEO\UIHost.exe: [Debugger] ntsd -d
IMEO\UmxAgent.exe: [Debugger] ntsd -d
IMEO\UmxAttachment.exe: [Debugger] ntsd -d
IMEO\UmxCfg.exe: [Debugger] ntsd -d
IMEO\UmxFwHlp.exe: [Debugger] ntsd -d
IMEO\UmxPol.exe: [Debugger] ntsd -d
IMEO\upiea.exe: [Debugger] ntsd -d
IMEO\UpLive.exe: [Debugger] ntsd -d
IMEO\USBCleaner.exe: [Debugger] ntsd -d
IMEO\vsstat.exe: [Debugger] ntsd -d
IMEO\wbapp.exe: [Debugger] ntsd -d
IMEO\webscanx.exe: [Debugger] ntsd -d
IMEO\WoptiClean.exe: [Debugger] ntsd -d
IMEO\Wsyscheck.exe: [Debugger] ntsd -d
IMEO\XDelBox.exe: [Debugger] ntsd -d
IMEO\XP.exe: [Debugger] ntsd -d
IMEO\zhudongfangyu.exe: [Debugger] ntsd -d
IMEO\zjb.exe: [Debugger] ntsd -d
IMEO\zxsweep.exe: [Debugger] ntsd -d
IMEO\~.exe: [Debugger] ntsd -d
URLSearchHook:
2013-11-23 22:54 - 2011-06-23 03:04 - 00095059 ___SH C:\Windows\system32\yRMgaPr.exe
2013-11-23 19:47 - 2013-11-23 21:30 - 00001148 ____N C:\Users\Public\Desktop\ÌÔ±¦¹ºÎï..lnk
2013-11-23 19:47 - 2013-11-23 19:47 - 00001789 ____N C:\Users\Public\Desktop\Ãâ·ÑС˵..lnk
2013-11-23 19:47 - 2013-11-23 19:47 - 00001765 ____N C:\Users\Public\Desktop\Ãâ·ÑµçÓ°..lnk
2013-11-23 19:47 - 2013-11-23 19:47 - 00000987 ____N C:\Users\Public\Desktop\ÃÀŮͼƬ..lnk
2013-11-23 17:49 - 2013-11-23 22:52 - 00000000 ____D C:\Windows\system32\jyBRWl1
2013-11-23 16:04 - 2013-11-23 23:58 - 00000000 __SHD C:\N123P
2013-11-23 16:04 - 2013-11-23 22:53 - 00000000 ____D C:\Windows\system32\H3owNTL
2013-11-23 22:53 - 2013-11-23 16:04 - 00000000 ____D C:\Windows\system32\H3owNTL
2013-11-23 22:52 - 2013-11-23 17:49 - 00000000 ____D C:\Windows\system32\jyBRWl1
2013-11-23 21:30 - 2013-11-23 19:47 - 00001148 ____N C:\Users\Public\Desktop\ÌÔ±¦¹ºÎï..lnk
2013-11-23 19:47 - 2013-11-23 19:47 - 00001789 ____N C:\Users\Public\Desktop\Ãâ·ÑС˵..lnk
2013-11-23 19:47 - 2013-11-23 19:47 - 00001765 ____N C:\Users\Public\Desktop\Ãâ·ÑµçÓ°..lnk
2013-11-23 19:47 - 2013-11-23 19:47 - 00000987 ____N C:\Users\Public\Desktop\ÃÀŮͼƬ..lnk
C:\ProgramData\PKP_DLeo.DAT
C:\ProgramData\PKP_DLes.DAT
C:\ProgramData\PKP_DLet.DAT
C:\ProgramData\PKP_DLev.DAT
C:\Users\Administrator\AppData\Local\Temp\qqsafeud.exe
end

NOTICE: This script is written specifically for this computer!!! Running this on another computer may cause damage to the Operating System.

Now, run FRST, and press the Fix button, just once, and wait.
When done, the tool creates a report on the Desktop called: Fixlog.txt

>> Please post the Fixlog.txt in your reply.


Also, can you identify your external HD?

Which one of these is it:

Drive d: (New Volume) (Fixed) (Total:259.03 GB) (Free:246.88 GB) NTFS
Drive e: (Elements) (Fixed) (Total:465.73 GB) (Free:312.16 GB) NTFS

Thanks.

Edited by Aaflac, 24 November 2013 - 12:49 PM.

Old duck...


#5 Ziggy28104

Ziggy28104
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 24 November 2013 - 01:01 PM

Hello, attached I have the fixlog.

 

The external hard drive is Drive e: (Elements)

I formatted the hard drive and the temporary file doesn't seem to be showing up anymore, I do not know if that fixed the problem or not.

 

Thank you again so much for your help!

 

Attached File  Fixlog.txt   34.69KB   4 downloads



#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:47 PM

Posted 24 November 2013 - 01:09 PM

Everything FRST identified was located in the C:\ drive, not in E:\
USBFix did not identify the Temp file on E:\ either

I formatted the hard drive...

The external hard drive?

Please run FRST once again, click Scan, and post a new report.

Old duck...


#7 Ziggy28104

Ziggy28104
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 24 November 2013 - 01:31 PM

Yes, I formatted the external hard drive, although it did not seem to work or the virus reattached itself to it.

I have attached again what the temp file looks like.

 

I have attached the new report.

 

Thanks again so much for your help!

 

Attached File  FRST.txt   26.46KB   10 downloads

 

Attached File  Untitled.png   5.9KB   0 downloads

Attached File  Untitled2.png   16.16KB   0 downloads

Attached File  Untitled3.png   30.89KB   0 downloads



#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:47 PM

Posted 24 November 2013 - 09:10 PM

Let's give this another whirl, I ovelooked a couple of files that may be causing the issue, and the Tmp file is not showing on the reports.

Please remove the last fixlist from the Desktop, right-click and: Delete

Next, open notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents inside of the code box below to Notepad.
Save it to the Desktop, and name it: fixlist.txt
 
start
C:\Windows\System32\yRMgaPr.exe
HKLM\...\Run: [d5602d55] - C:\Windows\System32\jyBRWl1\H3owNTL.exe [95059 2011-06-23] ()
C:\Windows\System32\jyBRWl1\H3owNTL.exe
HKLM\...\Run: [5602d55a] - C:\Windows\System32\H3owNTL\jyBRWl1.exe [95059 2011-06-23] ()
C:\Windows\System32\H3owNTL\jyBRWl1.exe
IMEO\360rp.exe: [Debugger] ntsd -d
IMEO\360rps.exe: [Debugger] ntsd -d
IMEO\360rpt.exe: [Debugger] ntsd -d
IMEO\360Safe.exe: [Debugger] ntsd -d
IMEO\360safebox.exe: [Debugger] ntsd -d
IMEO\360sd.exe: [Debugger] ntsd -d
IMEO\360sdrun.exe: [Debugger] ntsd -d
IMEO\360speedld.exe: [Debugger] ntsd -d
IMEO\360tray.exe: [Debugger] ntsd -d
IMEO\799d.exe: [Debugger] ntsd -d
IMEO\adam.exe: [Debugger] ntsd -d
IMEO\AgentSvr.exe: [Debugger] ntsd -d
IMEO\AntiU.exe: [Debugger] ntsd -d
IMEO\AoYun.exe: [Debugger] ntsd -d
IMEO\appdllman.exe: [Debugger] ntsd -d
IMEO\AppSvc32.exe: [Debugger] ntsd -d
IMEO\ArSwp.exe: [Debugger] ntsd -d
IMEO\ArSwp2.exe: [Debugger] ntsd -d
IMEO\ArSwp3.exe: [Debugger] ntsd -d
IMEO\AST.exe: [Debugger] ntsd -d
IMEO\atpup.exe: [Debugger] ntsd -d
IMEO\auto.exe: [Debugger] ntsd -d
IMEO\AutoRun.exe: [Debugger] ntsd -d
IMEO\autoruns.exe: [Debugger] ntsd -d
IMEO\av.exe: [Debugger] ntsd -d
IMEO\AvastU3.exe: [Debugger] ntsd -d
IMEO\avconsol.exe: [Debugger] ntsd -d
IMEO\avgrssvc.exe: [Debugger] ntsd -d
IMEO\AvMonitor.exe: [Debugger] ntsd -d
IMEO\avp.com: [Debugger] ntsd -d
IMEO\avp.exe: [Debugger] ntsd -d
IMEO\AvU3Launcher.exe: [Debugger] ntsd -d
IMEO\CCenter.exe: [Debugger] ntsd -d
IMEO\ccSvcHst.exe: [Debugger] ntsd -d
IMEO\cross.exe: [Debugger] ntsd -d
IMEO\Discovery.exe: [Debugger] ntsd -d
IMEO\DSMain.exe: [Debugger] ntsd -d
IMEO\EGHOST.exe: [Debugger] ntsd -d
IMEO\FileDsty.exe: [Debugger] ntsd -d
IMEO\filmst.exe: [Debugger] ntsd -d
IMEO\FTCleanerShell.exe: [Debugger] ntsd -d
IMEO\FYFireWall.exe: [Debugger] ntsd -d
IMEO\ghost.exe: [Debugger] ntsd -d
IMEO\guangd.exe: [Debugger] ntsd -d
IMEO\HijackThis.exe: [Debugger] ntsd -d
IMEO\IceSword.exe: [Debugger] ntsd -d
IMEO\iparmo.exe: [Debugger] ntsd -d
IMEO\Iparmor.exe: [Debugger] ntsd -d
IMEO\irsetup.exe: [Debugger] ntsd -d
IMEO\isPwdSvc.exe: [Debugger] ntsd -d
IMEO\jisu.exe: [Debugger] ntsd -d
IMEO\kabaload.exe: [Debugger] ntsd -d
IMEO\KaScrScn.SCR: [Debugger] ntsd -d
IMEO\KASMain.exe: [Debugger] ntsd -d
IMEO\KASTask.exe: [Debugger] ntsd -d
IMEO\KAV32.exe: [Debugger] ntsd -d
IMEO\KAVDX.exe: [Debugger] ntsd -d
IMEO\KAVPF.exe: [Debugger] ntsd -d
IMEO\KAVPFW.exe: [Debugger] ntsd -d
IMEO\KAVSetup.exe: [Debugger] ntsd -d
IMEO\kavstart.exe: [Debugger] ntsd -d
IMEO\kernelwind32.exe: [Debugger] ntsd -d
IMEO\KISLnchr.exe: [Debugger] ntsd -d
IMEO\kissvc.exe: [Debugger] ntsd -d
IMEO\KMailMon.exe: [Debugger] ntsd -d
IMEO\KMFilter.exe: [Debugger] ntsd -d
IMEO\knsd.exe: [Debugger] ntsd -d
IMEO\knsdave.exe: [Debugger] ntsd -d
IMEO\knsdtray.exe: [Debugger] ntsd -d
IMEO\KPFW32.exe: [Debugger] ntsd -d
IMEO\KPFW32X.exe: [Debugger] ntsd -d
IMEO\KPfwSvc.exe: [Debugger] ntsd -d
IMEO\KRegEx.exe: [Debugger] ntsd -d
IMEO\KRepair.com: [Debugger] ntsd -d
IMEO\ksafe.exe: [Debugger] ntsd -d
IMEO\ksafesvc.exe: [Debugger] ntsd -d
IMEO\ksafetray.exe: [Debugger] ntsd -d
IMEO\KsLoader.exe: [Debugger] ntsd -d
IMEO\KSWebShield.exe: [Debugger] ntsd -d
IMEO\KVCenter.kxp: [Debugger] ntsd -d
IMEO\KvDetect.exe: [Debugger] ntsd -d
IMEO\KvfwMcl.exe: [Debugger] ntsd -d
IMEO\KVMonXP.kxp: [Debugger] ntsd -d
IMEO\KVMonXP_1.kxp: [Debugger] ntsd -d
IMEO\kvol.exe: [Debugger] ntsd -d
IMEO\kvolself.exe: [Debugger] ntsd -d
IMEO\KvReport.kxp: [Debugger] ntsd -d
IMEO\KVScan.kxp: [Debugger] ntsd -d
IMEO\KVSrvXP.exe: [Debugger] ntsd -d
IMEO\KVStub.kxp: [Debugger] ntsd -d
IMEO\kvupload.exe: [Debugger] ntsd -d
IMEO\kvwsc.exe: [Debugger] ntsd -d
IMEO\KvXP.kxp: [Debugger] ntsd -d
IMEO\KvXP_1.kxp: [Debugger] ntsd -d
IMEO\KWatch.exe: [Debugger] ntsd -d
IMEO\KWatch9x.exe: [Debugger] ntsd -d
IMEO\KWatchX.exe: [Debugger] ntsd -d
IMEO\KWSMain.exe: [Debugger] ntsd -d
IMEO\kwstray.exe: [Debugger] ntsd -d
IMEO\KWSUpd.exe: [Debugger] ntsd -d
IMEO\loaddll.exe: [Debugger] ntsd -d
IMEO\logogo.exe: [Debugger] ntsd -d
IMEO\MagicSet.exe: [Debugger] ntsd -d
IMEO\mcconsol.exe: [Debugger] ntsd -d
IMEO\mmqczj.exe: [Debugger] ntsd -d
IMEO\mmsk.exe: [Debugger] ntsd -d
IMEO\Navapsvc.exe: [Debugger] ntsd -d
IMEO\Navapw32.exe: [Debugger] ntsd -d
IMEO\NAVSetup.exe: [Debugger] ntsd -d
IMEO\niu.exe: [Debugger] ntsd -d
IMEO\nod32.exe: [Debugger] ntsd -d
IMEO\nod32krn.exe: [Debugger] ntsd -d
IMEO\nod32kui.exe: [Debugger] ntsd -d
IMEO\NPFMntor.exe: [Debugger] ntsd -d
IMEO\pagefile.exe: [Debugger] ntsd -d
IMEO\pagefile.pif: [Debugger] ntsd -d
IMEO\pfserver.exe: [Debugger] ntsd -d
IMEO\PFW.exe: [Debugger] ntsd -d
IMEO\PFWLiveUpdate.exe: [Debugger] ntsd -d
IMEO\qheart.exe: [Debugger] ntsd -d
IMEO\QHSET.exe: [Debugger] ntsd -d
IMEO\QQDoctor.exe: [Debugger] ntsd -d
IMEO\QQDoctorMain.exe: [Debugger] ntsd -d
IMEO\QQDoctorRtp.exe: [Debugger] ntsd -d
IMEO\QQKav.exe: [Debugger] ntsd -d
IMEO\QQPCMgr.exe: [Debugger] ntsd -d
IMEO\QQPCRTP.exe: [Debugger] ntsd -d
IMEO\QQPCSmashFile.exe: [Debugger] ntsd -d
IMEO\QQPCTAVSrv.exe: [Debugger] ntsd -d
IMEO\QQPCTray.exe: [Debugger] ntsd -d
IMEO\qqpcupdateavlib.exe: [Debugger] ntsd -d
IMEO\QQSC.exe: [Debugger] ntsd -d
IMEO\qsetup.exe: [Debugger] ntsd -d
IMEO\Ras.exe: [Debugger] ntsd -d
IMEO\Rav.exe: [Debugger] ntsd -d
IMEO\ravcopy.exe: [Debugger] ntsd -d
IMEO\RavMon.exe: [Debugger] ntsd -d
IMEO\RavMonD.exe: [Debugger] ntsd -d
IMEO\RavStub.exe: [Debugger] ntsd -d
IMEO\RavTask.exe: [Debugger] ntsd -d
IMEO\RegClean.exe: [Debugger] ntsd -d
IMEO\rfwcfg.exe: [Debugger] ntsd -d
IMEO\rfwmain.exe: [Debugger] ntsd -d
IMEO\rfwProxy.exe: [Debugger] ntsd -d
IMEO\rfwsrv.exe: [Debugger] ntsd -d
IMEO\RsAgent.exe: [Debugger] ntsd -d
IMEO\Rsaupd.exe: [Debugger] ntsd -d
IMEO\rsnetsvr.exe: [Debugger] ntsd -d
IMEO\RsTray.exe: [Debugger] ntsd -d
IMEO\rstrui.exe: [Debugger] ntsd -d
IMEO\runiep.exe: [Debugger] ntsd -d
IMEO\sadu.exe: [Debugger] ntsd -d
IMEO\safeboxTray.exe: [Debugger] ntsd -d
IMEO\safelive.exe: [Debugger] ntsd -d
IMEO\scan32.exe: [Debugger] ntsd -d
IMEO\ScanFrm.exe: [Debugger] ntsd -d
IMEO\ScanU3.exe: [Debugger] ntsd -d
IMEO\SDGames.exe: [Debugger] ntsd -d
IMEO\SelfUpdate.exe: [Debugger] ntsd -d
IMEO\servet.exe: [Debugger] ntsd -d
IMEO\shcfg32.exe: [Debugger] ntsd -d
IMEO\SmartUp.exe: [Debugger] ntsd -d
IMEO\sos.exe: [Debugger] ntsd -d
IMEO\SREng.EXE: [Debugger] ntsd -d
IMEO\SREngPS.EXE: [Debugger] ntsd -d
IMEO\stormii.exe: [Debugger] ntsd -d
IMEO\sxgame.exe: [Debugger] ntsd -d
IMEO\symlcsvc.exe: [Debugger] ntsd -d
IMEO\SysSafe.exe: [Debugger] ntsd -d
IMEO\tencentdl.exe: [Debugger] ntsd -d
IMEO\tmp.exe: [Debugger] ntsd -d
IMEO\TNT.Exe: [Debugger] ntsd -d
IMEO\TrojanDetector.exe: [Debugger] ntsd -d
IMEO\Trojanwall.exe: [Debugger] ntsd -d
IMEO\TrojDie.kxp: [Debugger] ntsd -d
IMEO\TSVulFWMan.exe: [Debugger] ntsd -d
IMEO\TxoMoU.Exe: [Debugger] ntsd -d
IMEO\UFO.exe: [Debugger] ntsd -d
IMEO\UIHost.exe: [Debugger] ntsd -d
IMEO\UmxAgent.exe: [Debugger] ntsd -d
IMEO\UmxAttachment.exe: [Debugger] ntsd -d
IMEO\UmxCfg.exe: [Debugger] ntsd -d
IMEO\UmxFwHlp.exe: [Debugger] ntsd -d
IMEO\UmxPol.exe: [Debugger] ntsd -d
IMEO\upiea.exe: [Debugger] ntsd -d
IMEO\UpLive.exe: [Debugger] ntsd -d
IMEO\USBCleaner.exe: [Debugger] ntsd -d
IMEO\vsstat.exe: [Debugger] ntsd -d
IMEO\wbapp.exe: [Debugger] ntsd -d
IMEO\webscanx.exe: [Debugger] ntsd -d
IMEO\WoptiClean.exe: [Debugger] ntsd -d
IMEO\Wsyscheck.exe: [Debugger] ntsd -d
IMEO\XDelBox.exe: [Debugger] ntsd -d
IMEO\XP.exe: [Debugger] ntsd -d
IMEO\zhudongfangyu.exe: [Debugger] ntsd -d
IMEO\zjb.exe: [Debugger] ntsd -d
IMEO\zxsweep.exe: [Debugger] ntsd -d
IMEO\~.exe: [Debugger] ntsd -d
URLSearchHook: ATTENTION ==> Default URLSearchHook is missing.
2013-11-25 01:53 - 2011-06-23 03:04 - 00095059 ___SH C:\Windows\system32\yRMgaPr.exe
2013-11-25 01:52 - 2013-11-25 01:53 - 00000000 ____D C:\Windows\system32\H3owNTL
2013-11-25 01:52 - 2013-11-25 01:52 - 00001789 ____N C:\Users\Public\Desktop\Ãâ·ÑС˵..lnk
2013-11-25 01:52 - 2013-11-25 01:52 - 00001765 ____N C:\Users\Public\Desktop\Ãâ·ÑµçÓ°..lnk
2013-11-25 01:52 - 2013-11-25 01:52 - 00000989 ____N C:\Users\Public\Desktop\ÌÔ±¦¹ºÎï..lnk
2013-11-25 01:52 - 2013-11-25 01:52 - 00000987 ____N C:\Users\Public\Desktop\ÃÀŮͼƬ..lnk
2013-11-25 01:52 - 2013-11-25 01:52 - 00000000 ____D C:\Windows\system32\jyBRWl1
2013-11-23 16:05 - 2011-06-23 03:04 - 00095059 _____ C:\Users\Administrator\Desktop\㩃䙜卒屔畑牡湡楴敮
2013-11-23 16:04 - 2013-11-25 01:52 - 00000000 __SHD C:\N123P
E:\espvwipphbehwpt.Tmp
end

NOTICE: This script is written specifically for this computer!!! Running this on another computer may cause damage to the Operating System.

Now, run FRST, and press the Fix button, just once, and wait.
When done, the tool creates a report on the Desktop called: Fixlog.txt

>> Please post the Fixlog.txt in your reply.

Also, run a Scan with FRST once again, and post its report.


Post back on whether the .Tmp file gone from E:\.

Old duck...


#9 Ziggy28104

Ziggy28104
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 24 November 2013 - 09:37 PM

Hey, thanks for your help again buddy, I really appreciate it.

 

on me External hard drive I didnt see the temp file pop up, although do note it would appear for several seconds

under one name and come back later under another. I watched it for awhile and I didnt see anything pop up. I diconnected

the hard drive to ensure nothing else would latch onto it.

 

It seems that several files are left after the fix. Again, they are all rooted into Internet Explorer and only the "trusted installer"

can make changes. Also the white file seems to be linked to a webpage.

 

 

Attached Files


Edited by Ziggy28104, 24 November 2013 - 09:42 PM.


#10 Ziggy28104

Ziggy28104
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 24 November 2013 - 09:43 PM

and here is the FRST file.

 

Attached File  Untitled.png   30.67KB   0 downloads

 

Attached File  FRST.txt   18.57KB   3 downloads



#11 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:47 PM

Posted 24 November 2013 - 10:05 PM

It seems that several files are left after the fix.


Where do you see these files?

Can you right-click the 'white file' on Post #10 (above), and get a capture of what it shows?

Edited by Aaflac, 24 November 2013 - 10:07 PM.

Old duck...


#12 Ziggy28104

Ziggy28104
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 24 November 2013 - 10:11 PM

Both the files are on the desktop.

 

The picture I posted in #10 is being right clicked on. Both the files in #10 and the virus files. The fake "internet explorer" icon and

the blank file.

 

I will repost them here.

 

Attached File  Virus.png   34.89KB   0 downloads

 

Attached File  Untitled.png   30.67KB   0 downloads



#13 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:47 PM

Posted 24 November 2013 - 10:33 PM

Does this website mean anything to you, or do you go there:

www.tao678.com

Old duck...


#14 Ziggy28104

Ziggy28104
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 24 November 2013 - 10:37 PM

I do not use it, no.

 

It showed up after I plugged my external hard drive back into my laptop after my friend used it to take some files.

 

I think my external hard drive is okay now, what would be the best way to maybe, wipe the hard drive clean on my laptop

while keeping the operating system. I can not use a system restore, it was blocked, but now it is saying I dont have any restore

points.

 

If I cant take out the virus directly,what other options do I have to start fresh?

 

Thanks again so much for your help.


Edited by Ziggy28104, 25 November 2013 - 05:21 AM.


#15 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:47 PM

Posted 25 November 2013 - 10:19 PM

To get rid of the www.tao678.com undesirable entry in the Internet Explorer Start Page, please do the following:

In Internet Explorer, click Tools > Internet Options
On the General tab, in the Address box, type the URL of the page that you want to set as your default home page
Click Apply, and then click OK.


Next, lets focus on cleaning both the computer and the external drive...

:step1: With the external drive connected, please run Malwarebytes Anti-Malware:
Download: http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/
Save to the Desktop
Double-click the downloaded MBAM file to run it.

When the installation begins, follow the prompts in the setup process.
DO NOT make any changes to default settings and when the program has finished installing, make sure only the following options are checked:
>Update Malwarebytes Anti-Malware
>Launch Malwarebytes Anti-Malware
Uncheck:
>Enable free trial of Malwarebytes Anti-Malware PRO
Click on the Finish button.

If an update is found, the program automatically updates itself.
At the program console, on the Scanner tab, and select: Perform Full Scan

When the Select the Drives to scan prompt appears, make sure all drives (except: CD-Rom/DVD) are selected.
Next, click on the Scan button.

When the Malwarebytes scan is completed, click on: Show Results
When presented with a screen showing the malware detected, make sure everything is Checked, and click on: Remove Selected

When removal is completed, a report opens in Notepad.

>> Please copy/paste the entire contents of the MBAM report in your reply.

Note: If MBAM encounters a file that is difficult to remove, you are asked to reboot the computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) prevents MBAM from removing all the malware.



:step2: The ESET Online Scanner is implemented as an ActiveX control, so it is best run on Internet Explorer.
Right click the IE shortcut and select: Run as Administrator
Next, download: http://www.eset.com/us/online-scanner/

On the ESET website, click on: Run ESET Online Scanner
Click: Start
When asked, allow the add-on to be installed
Click: Start, again

On the next prompt, Computer Scan Settings, check: Remove found threats

Next, click on: Advanced Settings
Make sure the following options are checked:
>Scan for potentially unwanted applications
>Scan for potentially unsafe applications
>Enable Anti-Stealth Technology


By Current Scan Targets, Operating memory, Local drives, press: Change
In Selection of scan targets, Local drives, select the USB drive in question.
Click: OK
Click: Start
Follow the prompts.

When the scan completes, if threats are found, in the Scan Results prompt, click on: List of threats found
Click on: Export to text file
Save to the Desktop and name it: ESET Scan Results
Click on: Back
Place a check on: Uninstall application on close
Click on: Finish, and close the program.

>> If anything is found, please provide the ESET report in your reply to determine what further action is necessary.

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users