Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My documents opens by itself - combofix report


  • This topic is locked This topic is locked
26 replies to this topic

#1 2d2f

2d2f

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 31 March 2014 - 10:07 AM

ComboFix 14-03-24.01 - xp 31.03.14  17:55:29.3.1 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1014.431 [GMT 2:00]
Running from: c:\documents and settings\xp\My Documents\Downloads\ComboFix.exe
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\install.exe
c:\program files\IObitBar\toolbar\1.bin\i0SRcas.dll
c:\windows\system32\ctl3d32.dll.tmp
c:\windows\system32\drivers\ba42d6a414a39274.sys
c:\windows\system32\mswmpdat.tlb
c:\windows\VC.ini
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SYSHOST32
-------\Legacy_ba42d6a414a39274
-------\Service_ba42d6a414a39274
.
.
(((((((((((((((((((((((((   Files Created from 2014-02-28 to 2014-03-31  )))))))))))))))))))))))))))))))
.
.
2014-03-31 14:33 . 2014-03-31 15:19    107736    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-03-31 12:58 . 2014-03-31 14:54    --------    d-----w-    c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2014-03-31 12:58 . 2014-03-31 15:08    --------    d-----w-    c:\program files\Spybot - Search & Destroy 2
2014-03-31 12:48 . 2014-03-31 12:49    --------    d-----w-    c:\documents and settings\Administrator
2014-03-31 12:44 . 2014-03-31 15:12    --------    d-sh--w-    c:\program files\Common Files\Akiku
2014-03-31 12:30 . 2014-03-05 07:26    50648    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-03-31 12:30 . 2014-03-05 07:26    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-03-31 12:30 . 2014-03-31 14:33    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2014-03-31 12:30 . 2014-03-31 12:30    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2014-03-27 11:09 . 2014-03-27 11:09    37376    ----a-w-    c:\windows\system32\AlmopmuZtuzq.dll
2014-03-26 07:40 . 2014-03-31 15:33    --------    d-sh--w-    c:\program files\Common Files\xQ4e5dFM40
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-12 13:13 . 2013-10-15 11:05    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-12 13:13 . 2013-10-15 11:05    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-01-30 14:40 . 2014-01-30 14:40    145408    ----a-w-    c:\windows\system32\javacpl.cpl
2014-01-30 14:40 . 2014-01-30 14:34    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
1996-08-08 10:30 . 1996-08-08 10:30    68880    -c--a-w-    c:\program files\REGINI.EXE
1994-09-16 13:00 . 1994-09-16 13:00    20976    -c--a-w-    c:\program files\CTL3D.DLL
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AKiku"="c:\program files\Common Files\Akiku\tjiujsnjb.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AKiku"="c:\program files\Common Files\Akiku\tjiujsnjb.exe" [BU]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AKiku"="c:\program files\Common Files\Akiku\vfwhhydlr.exe" [BU]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"IE7-10"="advpack.dll" [2009-03-08 128512]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0\0sdnclean.exe
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Personal.lnk
backup=c:\windows\pss\Personal.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Token Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Token Manager.lnk
backup=c:\windows\pss\Token Manager.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-11-21 16:57    959904    ----a-w-    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AKiku]
c:\program files\Common Files\Akiku\tjiujsnjb.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-11-28 13:13    59280    ----a-w-    c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-02-01 15:45    98304    ----a-w-    c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-03 23:56    15360    ------w-    c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]
2009-11-16 08:49    33681408    ----a-r-    c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-11-12 09:04    173592    ----a-w-    c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-11-12 09:05    141336    ----a-w-    c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-08-11 15:30    249856    ----a-w-    c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-08-11 15:30    81920    ----a-w-    c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-12-12 12:57    152544    ----a-w-    c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 14:40    155648    ----a-w-    c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
2001-11-13 12:50    163840    ----a-w-    c:\windows\system32\pctspk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-11-12 09:05    141336    ----a-w-    c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 19:53    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2013-06-21 07:58    19875432    ----a-r-    c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2013-07-02 08:16    254336    ----a-w-    c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-11-10 10:03    39408    ----a-w-    c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Update Service]
c:\program files\Common Files\xQ4e5dFM40\ofntxopie.exe [BU]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LMabcoms.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15680:TCP"= 15680:TCP:NortonAV
"12913:TCP"= 12913:TCP:NortonAV
"16616:TCP"= 16616:TCP:NortonAV
"13508:TCP"= 13508:TCP:NortonAV
"16193:TCP"= 16193:TCP:NortonAV
"18466:TCP"= 18466:TCP:NortonAV
"12181:TCP"= 12181:TCP:NortonAV
"18288:TCP"= 18288:TCP:NortonAV
"14150:TCP"= 14150:TCP:NortonAV
"18388:TCP"= 18388:TCP:NortonAV
"12552:TCP"= 12552:TCP:NortonAV
"15734:TCP"= 15734:TCP:NortonAV
"13953:TCP"= 13953:TCP:NortonAV
"17378:TCP"= 17378:TCP:NortonAV
"13859:TCP"= 13859:TCP:NortonAV
"13032:TCP"= 13032:TCP:NortonAV
"13114:TCP"= 13114:TCP:NortonAV
"17054:TCP"= 17054:TCP:NortonAV
"18035:TCP"= 18035:TCP:NortonAV
"16829:TCP"= 16829:TCP:NortonAV
"17120:TCP"= 17120:TCP:NortonAV
"15863:TCP"= 15863:TCP:NortonAV
"14234:TCP"= 14234:TCP:NortonAV
"16517:TCP"= 16517:TCP:NortonAV
"16992:TCP"= 16992:TCP:NortonAV
"18571:TCP"= 18571:TCP:NortonAV
"18730:TCP"= 18730:TCP:NortonAV
"14197:TCP"= 14197:TCP:NortonAV
"15320:TCP"= 15320:TCP:NortonAV
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2004-08-03 14336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai    REG_MULTI_SZ       Akamai
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-03-16 10:11    1150280    ----a-w-    c:\program files\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 02:32    128512    ----a-w-    c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-10-15 13:13]
.
2014-02-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 15:57]
.
2014-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 10:49]
.
2014-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 10:49]
.
2014-03-31 c:\windows\Tasks\User_Feed_Synchronization-{2C26800B-312C-4408-BF2E-0FCE7A19DD22}.job
- c:\windows\system32\msfeedssync.exe [2010-02-02 02:31]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.rs/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Settings,ProxyOverride = 127.0.0.1:9421;<local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
Trusted Zone: bancaintesabeograd.com\online
Trusted Zone: dunav.com\osiguranje
TCP: DhcpNameServer = 192.168.1.1
DPF: {73848533-39E1-49F1-9363-28054268C094} - hxxps://online.bancaintesabeograd.com/RetailDLL/FSINT9.dll
DPF: {76326493-E84F-4D4B-939C-1E07B50037F2} - hxxps://online.bancaintesabeograd.com/RetailDLL/SGCMSCCD.DLL
FF - ProfilePath - c:\documents and settings\xp\Application Data\Mozilla\Firefox\Profiles\yv9hxbxf.default\
FF - prefs.js: browser.startup.homepage - https:/www.google.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=UP97DF&PC=UP97&q=
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
SSODL-UpdateCheck-{2312EE2D-B309-4AC2-A6F0-CF6B87E1E946} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-03-31 18:02
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_8fa3539.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\BizniSOFT]
"ImagePath"="\"c:\program files\BizniSOFT\DataBase\bin\mysqld-nt\" \"--defaults-file=c:\program files\BizniSOFT\DataBase\my.ini\" BizniSOFT"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Classes\CLSID\{9F77B854-B8B2-FF4B-BAF7-AF57EC9609D6}]
@Denied: (A 4) (Everyone)
.
[HKEY_USERS\.Default\Software\Classes\CLSID\{CEDD9595-CF07-E840-A467-B4144303BB30}]
@Denied: (A 4) (Everyone)
.
[HKEY_USERS\.Default\Software\Win7zip]
@Denied: (A B 2 3) (Everyone)
"Uuid"=hex:ce,dd,95,95,cf,07,e8,40,a4,67,b4,14,43,03,bb,30
.
[HKEY_USERS\S-1-5-21-1659004503-1580436667-1060284298-1003\Software\Win7zip]
@Denied: (A B 2 3) (Everyone)
"Uuid"=hex:9f,77,b8,54,b8,b2,ff,4b,ba,f7,af,57,ec,96,09,d6
.
[HKEY_USERS\S-1-5-21-1659004503-1580436667-1060284298-1003_Classes\CLSID\{9F77B854-B8B2-FF4B-BAF7-AF57EC9609D6}]
@Denied: (A 4) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2352)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
- - - - - - - > 'explorer.exe'(3288)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\browselc.dll
c:\program files\Common Files\Ahead\Lib\NeroDigitalExt.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\windows\system32\shdoclc.dll
.
Completion time: 2014-03-31  18:03:59
ComboFix-quarantined-files.txt  2014-03-31 16:03
ComboFix2.txt  2010-02-02 07:50
.
Pre-Run: 140.129.280.000 bytes free
Post-Run: 140.925.394.944 bytes free
.
- - End Of File - - D215323AF5A7320E771E0EAF8B6F5B8E
8F558EB6672622401DA993E1E865C861
 



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:10 PM

Posted 31 March 2014 - 10:16 AM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

Make sure you can view hidden files and folder...
Check this out: How to see hidden files in Windows


Now can you please go to

c:\windows\system32\AlmopmuZtuzq.dll

and right click on it, select send to compressed(zip) folders that will make a zipped copy of this file...
Then please upload it to http://www.bleepingcomputer.com/submit-malware.php?channel=122 so I can examine the file and submit to antivirus companies if needed.
After that please delete the zip file you just created.

 

Thanks!

 

 

Regards,

Georgi


cXfZ4wS.png


#3 2d2f

2d2f
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 31 March 2014 - 03:31 PM

Thanks  Georgi,

 

I submitted the file.


Edited by 2d2f, 31 March 2014 - 03:32 PM.


#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:10 PM

Posted 31 March 2014 - 04:55 PM

Hello,

 

Thank you for the file! :)

 

We need to execute a CFScript to clean some remnants.

Please do this:


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

2. Open notepad => navigate to format and make sure that wordwrap is unchecked. <--- important !!!

3. Copy/paste the text in the codebox below into it:
 

Folder::
c:\program files\Common Files\Akiku
c:\program files\Common Files\xQ4e5dFM40
File::
c:\windows\system32\AlmopmuZtuzq.dll
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AKiku"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AKiku"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AKiku"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AKiku]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Update Service]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall" =dword:00000001
DDS::
uInternet Settings,ProxyOverride = 127.0.0.1:9421;<local>;*.local
RegLockDel::
[HKEY_USERS\.Default\Software\Classes\CLSID\{9F77B854-B8B2-FF4B-BAF7-AF57EC9609D6}]
[HKEY_USERS\.Default\Software\Classes\CLSID\{CEDD9595-CF07-E840-A467-B4144303BB30}]
[HKEY_USERS\.Default\Software\Win7zip]
[HKEY_USERS\S-1-5-21-1659004503-1580436667-1060284298-1003\Software\Win7zip]
[HKEY_USERS\S-1-5-21-1659004503-1580436667-1060284298-1003_Classes\CLSID\{9F77B854-B8B2-FF4B-BAF7-AF57EC9609D6}]

4. Save this as CFScript.txt, in the same location as ComboFix.exe

5. Close any open browsers.

6. Refering to the picture below, drag CFScript into ComboFix.exe

 

Z3PoF.gif

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Also reply back to let me know how things are going.

 

 

Regards,

Georgi


cXfZ4wS.png


#5 2d2f

2d2f
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 01 April 2014 - 03:13 PM

 

ComboFix 14-03-24.01 - xp 02.04.14  21:59:30.4.1 - x86

Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1014.445 [GMT 2:00]
Running from: C:\ComboFix.exe
Command switches used :: C:\CFScript.txt
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
 * Created a new restore point
.
FILE ::
"c:\windows\system32\AlmopmuZtuzq.dll"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Common Files\Akiku
c:\program files\Common Files\Akiku\aubbzhzge.exe
c:\program files\Common Files\Akiku\lgzovopie.exe
c:\program files\Common Files\Akiku\ogtxcdlve.exe
c:\program files\Common Files\Akiku\rbgiypzyt.exe
c:\program files\Common Files\Akiku\tjiujsnjb.exe
c:\program files\Common Files\Akiku\vfwhhydlr.exe
c:\program files\Common Files\Akiku\zqhkkangs.exe
c:\program files\Common Files\xQ4e5dFM40
c:\windows\system32\AlmopmuZtuzq.dll
.
.
(((((((((((((((((((((((((   Files Created from 2014-03-02 to 2014-04-02  )))))))))))))))))))))))))))))))
.
.
2014-04-02 20:08 . 2014-04-02 20:08 -------- d-sh--w- c:\program files\Common Files\Akiku
2014-03-31 21:40 . 2014-03-31 21:40 -------- d-----w- c:\program files\McAfee Security Scan
2014-03-31 14:33 . 2014-04-01 22:07 107736 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-03-31 12:58 . 2014-03-31 14:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2014-03-31 12:58 . 2014-03-31 15:08 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2014-03-31 12:48 . 2014-03-31 12:49 -------- d-----w- c:\documents and settings\Administrator
2014-03-31 12:30 . 2014-03-05 07:26 50648 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-03-31 12:30 . 2014-03-05 07:26 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-03-31 12:30 . 2014-03-31 14:33 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-03-31 12:30 . 2014-03-31 12:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-12 13:13 . 2013-10-15 11:05 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-12 13:13 . 2013-10-15 11:05 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-01-30 14:40 . 2014-01-30 14:40 145408 ----a-w- c:\windows\system32\javacpl.cpl
2014-01-30 14:40 . 2014-01-30 14:34 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
1996-08-08 10:30 . 1996-08-08 10:30 68880 -c--a-w- c:\program files\REGINI.EXE
1994-09-16 13:00 . 1994-09-16 13:00 20976 -c--a-w- c:\program files\CTL3D.DLL
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-10 39408]
"AKiku"="c:\program files\Common Files\Akiku\dwrdsyetp.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AKiku"="c:\program files\Common Files\Akiku\dwrdsyetp.exe" [BU]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"IE7-10"="advpack.dll" [2009-03-08 128512]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.8.141\SSScheduler.exe [2014-1-16 277920]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk *\0\0sdnclean.exe
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Personal.lnk
backup=c:\windows\pss\Personal.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-11-21 16:57 959904 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-11-28 13:13 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-02-01 15:45 98304 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-03 23:56 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]
2009-11-16 08:49 33681408 ----a-r- c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-11-12 09:04 173592 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-11-12 09:05 141336 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-08-11 15:30 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-08-11 15:30 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-12-12 12:57 152544 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 14:40 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
2001-11-13 12:50 163840 ----a-w- c:\windows\system32\pctspk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-11-12 09:05 141336 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 19:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2013-06-21 07:58 19875432 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2013-07-02 08:16 254336 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-11-10 10:03 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LMabcoms.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15680:TCP"= 15680:TCP:NortonAV
"12913:TCP"= 12913:TCP:NortonAV
"16616:TCP"= 16616:TCP:NortonAV
"13508:TCP"= 13508:TCP:NortonAV
"16193:TCP"= 16193:TCP:NortonAV
"18466:TCP"= 18466:TCP:NortonAV
"12181:TCP"= 12181:TCP:NortonAV
"18288:TCP"= 18288:TCP:NortonAV
"14150:TCP"= 14150:TCP:NortonAV
"18388:TCP"= 18388:TCP:NortonAV
"12552:TCP"= 12552:TCP:NortonAV
"15734:TCP"= 15734:TCP:NortonAV
"13953:TCP"= 13953:TCP:NortonAV
"17378:TCP"= 17378:TCP:NortonAV
"13859:TCP"= 13859:TCP:NortonAV
"13032:TCP"= 13032:TCP:NortonAV
"13114:TCP"= 13114:TCP:NortonAV
"17054:TCP"= 17054:TCP:NortonAV
"18035:TCP"= 18035:TCP:NortonAV
"16829:TCP"= 16829:TCP:NortonAV
"17120:TCP"= 17120:TCP:NortonAV
"15863:TCP"= 15863:TCP:NortonAV
"14234:TCP"= 14234:TCP:NortonAV
"16517:TCP"= 16517:TCP:NortonAV
"16992:TCP"= 16992:TCP:NortonAV
"18571:TCP"= 18571:TCP:NortonAV
"18730:TCP"= 18730:TCP:NortonAV
"14197:TCP"= 14197:TCP:NortonAV
"15320:TCP"= 15320:TCP:NortonAV
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [04.08.04 1:56 14336]
R2 BizniSOFT;BizniSOFT;"c:\program files\BizniSOFT\DataBase\bin\mysqld-nt" "--defaults-file=c:\program files\BizniSOFT\DataBase\my.ini" BizniSOFT --> c:\program files\BizniSOFT\DataBase\bin\mysqld-nt [?]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [31.03.14 14:30 1809720]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [31.03.14 14:30 857912]
R2 ppsio;PrmxPPDev;c:\windows\system32\drivers\PPSIO.SYS [23.02.06 15:38 22688]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [31.03.14 14:30 23256]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [02.02.10 9:25 1418368]
S2 IObitBarService;IObit Toolbar Service;c:\progra~1\IObitBar\toolbar\1.bin\i0barsvc.exe [15.12.10 12:27 28766]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [21.06.13 9:53 162408]
S3 CFcatchme;CFcatchme;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\CFcatchme.sys [?]
S3 GemCCID;GemCCID;c:\windows\system32\drivers\GemCCID.sys [19.06.09 15:56 87424]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.8.141\McCHSvc.exe [16.01.14 2:39 235696]
S3 TodosAgmII;Driver for Todos Argos Mini II;c:\windows\system32\Drivers\AgmIIusb.sys --> c:\windows\system32\Drivers\AgmIIusb.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ   Akamai
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-03-16 10:11 1150280 ----a-w- c:\program files\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 02:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-31 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-10-15 13:13]
.
2014-02-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 15:57]
.
2014-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 10:49]
.
2014-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 10:49]
.
2014-04-02 c:\windows\Tasks\User_Feed_Synchronization-{2C26800B-312C-4408-BF2E-0FCE7A19DD22}.job
- c:\windows\system32\msfeedssync.exe [2010-02-02 02:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
Trusted Zone: bancaintesabeograd.com\online
Trusted Zone: dunav.com\osiguranje
TCP: DhcpNameServer = 192.168.1.1
DPF: {73848533-39E1-49F1-9363-28054268C094} - hxxps://online.bancaintesabeograd.com/RetailDLL/FSINT9.dll
DPF: {76326493-E84F-4D4B-939C-1E07B50037F2} - hxxps://online.bancaintesabeograd.com/RetailDLL/SGCMSCCD.DLL
FF - ProfilePath - c:\documents and settings\xp\Application Data\Mozilla\Firefox\Profiles\yv9hxbxf.default\
FF - prefs.js: browser.startup.homepage - https:/www.google.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=UP97DF&PC=UP97&q=
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\Token Manager.lnk - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-04-02 22:08
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_8fa3539.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\BizniSOFT]
"ImagePath"="\"c:\program files\BizniSOFT\DataBase\bin\mysqld-nt\" \"--defaults-file=c:\program files\BizniSOFT\DataBase\my.ini\" BizniSOFT"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1659004503-1580436667-1060284298-1003\Software\Win7zip]
@Denied: (A B 2 3) (Everyone)
"Uuid"=hex:9f,77,b8,54,b8,b2,ff,4b,ba,f7,af,57,ec,96,09,d6
.
[HKEY_USERS\S-1-5-21-1659004503-1580436667-1060284298-1003_Classes\CLSID\{9F77B854-B8B2-FF4B-BAF7-AF57EC9609D6}]
@Denied: (A 4) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aubbzhzge.exe]
@Denied: (A B 2 3) (Everyone)
"DisableExceptionChainValidation"=""
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwrdsyetp.exe]
@Denied: (A B 2 3) (Everyone)
"DisableExceptionChainValidation"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2844)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
- - - - - - - > 'explorer.exe'(2576)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\browselc.dll
c:\program files\Common Files\Ahead\Lib\NeroDigitalExt.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\windows\system32\shdoclc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\BizniSOFT\DataBase\bin\mysqld-nt.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
.
**************************************************************************
.
Completion time: 2014-04-02  22:11:58 - machine was rebooted
ComboFix-quarantined-files.txt  2014-04-02 20:11
ComboFix2.txt  2010-02-02 07:50
.
Pre-Run: 140.713.959.424 bytes free
Post-Run: 140.713.422.848 bytes free
.
- - End Of File - - 543B2EF10E038E810258A9400CFA1503
8F558EB6672622401DA993E1E865C861
 

 



#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:10 PM

Posted 01 April 2014 - 04:13 PM

Hello,

 

We need to run another CFScript to clean some remnants.

Please do this:


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

2. Open notepad => navigate to format and make sure that wordwrap is unchecked. <--- important !!!

3. Copy/paste the text in the codebox below into it:
 

Driver::
IObitBarService
Folder::
c:\program files\Common Files\Akiku
c:\program files\IObitBar
RegLockDel::
[HKEY_USERS\S-1-5-21-1659004503-1580436667-1060284298-1003\Software\Win7zip]
[HKEY_USERS\S-1-5-21-1659004503-1580436667-1060284298-1003_Classes\CLSID\{9F77B854-B8B2-FF4B-BAF7-AF57EC9609D6}]
RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aubbzhzge.exe]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwrdsyetp.exe]
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AKiku"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AKiku"=-
[-HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aubbzhzge.exe]
[-HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwrdsyetp.exe]

 

4. Save this as CFScript.txt, in the same location as ComboFix.exe

5. Close any open browsers.

6. Refering to the picture below, drag CFScript into ComboFix.exe
 

 

Z3PoF.gif

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


cXfZ4wS.png


#7 2d2f

2d2f
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 01 April 2014 - 05:03 PM

It seems that it solved the problem


 

ComboFix 14-03-24.01 - xp 02.04.14  23:50:46.5.1 - x86

Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1014.432 [GMT 2:00]
Running from: C:\ComboFix.exe
Command switches used :: C:\CFScript.txt
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Common Files\Akiku
c:\program files\Common Files\Akiku\dwrdsyetp.exe
c:\program files\IObitBar
c:\program files\IObitBar\toolbar\1.bin\CHROME.MANIFEST
c:\program files\IObitBar\toolbar\1.bin\chrome\i0ffxtbr.jar
c:\program files\IObitBar\toolbar\1.bin\i0bar.dll
c:\program files\IObitBar\toolbar\1.bin\i0barsvc.exe
c:\program files\IObitBar\toolbar\1.bin\i0brstub.dll
c:\program files\IObitBar\toolbar\1.bin\i0dyn.dll
c:\program files\IObitBar\toolbar\1.bin\i0highin.exe
c:\program files\IObitBar\toolbar\1.bin\i0impipe.exe
c:\program files\IObitBar\toolbar\1.bin\i0medint.exe
c:\program files\IObitBar\toolbar\1.bin\i0msg.dll
c:\program files\IObitBar\toolbar\1.bin\i0Plugin.dll
c:\program files\IObitBar\toolbar\1.bin\INSTALL.RDF
c:\program files\IObitBar\toolbar\1.bin\LOGO.BMP
c:\program files\IObitBar\toolbar\1.bin\NPi0Stub.dll
c:\program files\IObitBar\toolbar\Cache\0001467A.bmp
c:\program files\IObitBar\toolbar\Cache\000149C5.bmp
c:\program files\IObitBar\toolbar\Cache\00014C85.bmp
c:\program files\IObitBar\toolbar\Cache\0001587B.bmp
c:\program files\IObitBar\toolbar\Cache\00015A7F.bmp
c:\program files\IObitBar\toolbar\Cache\00015F13.bmp
c:\program files\IObitBar\toolbar\Cache\00016443.bmp
c:\program files\IObitBar\toolbar\Cache\00016637.bmp
c:\program files\IObitBar\toolbar\Cache\00016869.bmp
c:\program files\IObitBar\toolbar\Cache\000169C1.bmp
c:\program files\IObitBar\toolbar\Cache\00179990
c:\program files\IObitBar\toolbar\Cache\00A12E44
c:\program files\IObitBar\toolbar\Cache\0159128F.bmp
c:\program files\IObitBar\toolbar\Cache\015913C8.bmp
c:\program files\IObitBar\toolbar\Cache\01591493.bmp
c:\program files\IObitBar\toolbar\Cache\0159158D.bmp
c:\program files\IObitBar\toolbar\Cache\01591639.bmp
c:\program files\IObitBar\toolbar\Cache\015916C6.bmp
c:\program files\IObitBar\toolbar\Cache\01591771.bmp
c:\program files\IObitBar\toolbar\Cache\015918BA.bmp
c:\program files\IObitBar\toolbar\Cache\01591956.bmp
c:\program files\IObitBar\toolbar\Cache\015919F2.bmp
c:\program files\IObitBar\toolbar\Cache\0180BEB0.bmp
c:\program files\IObitBar\toolbar\Cache\0180BF7B.bmp
c:\program files\IObitBar\toolbar\Cache\0180C008.bmp
c:\program files\IObitBar\toolbar\Cache\files.ini
c:\program files\IObitBar\toolbar\History\search3
c:\program files\IObitBar\toolbar\Settings\prevcfg2.htm
c:\program files\IObitBar\toolbar\Settings\s_pid.dat
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_IOBITBARSERVICE
-------\Service_IObitBarService
.
.
(((((((((((((((((((((((((   Files Created from 2014-03-02 to 2014-04-02  )))))))))))))))))))))))))))))))
.
.
2014-03-31 21:40 . 2014-03-31 21:40 -------- d-----w- c:\program files\McAfee Security Scan
2014-03-31 14:33 . 2014-04-01 22:07 107736 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-03-31 12:58 . 2014-03-31 14:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2014-03-31 12:58 . 2014-03-31 15:08 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2014-03-31 12:48 . 2014-03-31 12:49 -------- d-----w- c:\documents and settings\Administrator
2014-03-31 12:30 . 2014-03-05 07:26 50648 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-03-31 12:30 . 2014-03-05 07:26 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-03-31 12:30 . 2014-03-31 14:33 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-03-31 12:30 . 2014-03-31 12:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-12 13:13 . 2013-10-15 11:05 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-12 13:13 . 2013-10-15 11:05 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-01-30 14:40 . 2014-01-30 14:40 145408 ----a-w- c:\windows\system32\javacpl.cpl
2014-01-30 14:40 . 2014-01-30 14:34 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
1996-08-08 10:30 . 1996-08-08 10:30 68880 -c--a-w- c:\program files\REGINI.EXE
1994-09-16 13:00 . 1994-09-16 13:00 20976 -c--a-w- c:\program files\CTL3D.DLL
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-10 39408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"IE7-10"="advpack.dll" [2009-03-08 128512]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.8.141\SSScheduler.exe [2014-1-16 277920]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk *\0\0sdnclean.exe
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Personal.lnk
backup=c:\windows\pss\Personal.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-11-21 16:57 959904 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-11-28 13:13 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-02-01 15:45 98304 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-03 23:56 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]
2009-11-16 08:49 33681408 ----a-r- c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-11-12 09:04 173592 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-11-12 09:05 141336 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-08-11 15:30 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-08-11 15:30 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-12-12 12:57 152544 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 14:40 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
2001-11-13 12:50 163840 ----a-w- c:\windows\system32\pctspk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-11-12 09:05 141336 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 19:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2013-06-21 07:58 19875432 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2013-07-02 08:16 254336 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-11-10 10:03 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LMabcoms.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15680:TCP"= 15680:TCP:NortonAV
"12913:TCP"= 12913:TCP:NortonAV
"16616:TCP"= 16616:TCP:NortonAV
"13508:TCP"= 13508:TCP:NortonAV
"16193:TCP"= 16193:TCP:NortonAV
"18466:TCP"= 18466:TCP:NortonAV
"12181:TCP"= 12181:TCP:NortonAV
"18288:TCP"= 18288:TCP:NortonAV
"14150:TCP"= 14150:TCP:NortonAV
"18388:TCP"= 18388:TCP:NortonAV
"12552:TCP"= 12552:TCP:NortonAV
"15734:TCP"= 15734:TCP:NortonAV
"13953:TCP"= 13953:TCP:NortonAV
"17378:TCP"= 17378:TCP:NortonAV
"13859:TCP"= 13859:TCP:NortonAV
"13032:TCP"= 13032:TCP:NortonAV
"13114:TCP"= 13114:TCP:NortonAV
"17054:TCP"= 17054:TCP:NortonAV
"18035:TCP"= 18035:TCP:NortonAV
"16829:TCP"= 16829:TCP:NortonAV
"17120:TCP"= 17120:TCP:NortonAV
"15863:TCP"= 15863:TCP:NortonAV
"14234:TCP"= 14234:TCP:NortonAV
"16517:TCP"= 16517:TCP:NortonAV
"16992:TCP"= 16992:TCP:NortonAV
"18571:TCP"= 18571:TCP:NortonAV
"18730:TCP"= 18730:TCP:NortonAV
"14197:TCP"= 14197:TCP:NortonAV
"15320:TCP"= 15320:TCP:NortonAV
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [04.08.04 1:56 14336]
R2 BizniSOFT;BizniSOFT;"c:\program files\BizniSOFT\DataBase\bin\mysqld-nt" "--defaults-file=c:\program files\BizniSOFT\DataBase\my.ini" BizniSOFT --> c:\program files\BizniSOFT\DataBase\bin\mysqld-nt [?]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [31.03.14 14:30 1809720]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [31.03.14 14:30 857912]
R2 ppsio;PrmxPPDev;c:\windows\system32\drivers\PPSIO.SYS [23.02.06 15:38 22688]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [31.03.14 14:30 23256]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [02.02.10 9:25 1418368]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [21.06.13 9:53 162408]
S3 CFcatchme;CFcatchme;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\CFcatchme.sys [?]
S3 GemCCID;GemCCID;c:\windows\system32\drivers\GemCCID.sys [19.06.09 15:56 87424]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.8.141\McCHSvc.exe [16.01.14 2:39 235696]
S3 TodosAgmII;Driver for Todos Argos Mini II;c:\windows\system32\Drivers\AgmIIusb.sys --> c:\windows\system32\Drivers\AgmIIusb.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ   Akamai
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-03-16 10:11 1150280 ----a-w- c:\program files\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 02:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2014-04-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-10-15 13:13]
.
2014-02-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 15:57]
.
2014-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 10:49]
.
2014-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 10:49]
.
2014-04-02 c:\windows\Tasks\User_Feed_Synchronization-{2C26800B-312C-4408-BF2E-0FCE7A19DD22}.job
- c:\windows\system32\msfeedssync.exe [2010-02-02 02:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
Trusted Zone: bancaintesabeograd.com\online
Trusted Zone: dunav.com\osiguranje
TCP: DhcpNameServer = 192.168.1.1
DPF: {73848533-39E1-49F1-9363-28054268C094} - hxxps://online.bancaintesabeograd.com/RetailDLL/FSINT9.dll
DPF: {76326493-E84F-4D4B-939C-1E07B50037F2} - hxxps://online.bancaintesabeograd.com/RetailDLL/SGCMSCCD.DLL
FF - ProfilePath - c:\documents and settings\xp\Application Data\Mozilla\Firefox\Profiles\yv9hxbxf.default\
FF - prefs.js: browser.startup.homepage - https:/www.google.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=UP97DF&PC=UP97&q=
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-04-03 00:01
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_8fa3539.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\BizniSOFT]
"ImagePath"="\"c:\program files\BizniSOFT\DataBase\bin\mysqld-nt\" \"--defaults-file=c:\program files\BizniSOFT\DataBase\my.ini\" BizniSOFT"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1659004503-1580436667-1060284298-1003\Software\Win7zip]
@Denied: (A B 2 3) (Everyone)
"Uuid"=hex:9f,77,b8,54,b8,b2,ff,4b,ba,f7,af,57,ec,96,09,d6
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwrdsyetp.exe]
@Denied: (A B 2 3) (Everyone)
"DisableExceptionChainValidation"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(496)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\BizniSOFT\DataBase\bin\mysqld-nt.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
.
**************************************************************************
.
Completion time: 2014-04-03  00:05:11 - machine was rebooted
ComboFix-quarantined-files.txt  2014-04-02 22:05
ComboFix2.txt  2010-02-02 07:50
.
Pre-Run: 140.675.059.712 bytes free
Post-Run: 140.649.930.752 bytes free
.
- - End Of File - - 71B14F94F741667FBC2A890B48074A10
8F558EB6672622401DA993E1E865C861
 

You are genius! :)



#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:10 PM

Posted 01 April 2014 - 05:07 PM

Hello,

 

Good work...but there are two locked registry entries which should be removed as well:

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Regards,

Georgi


cXfZ4wS.png


#9 2d2f

2d2f
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 01 April 2014 - 05:19 PM

Here you go

Attached Files



#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:10 PM

Posted 01 April 2014 - 05:41 PM

Hi,
 
 
Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
 
 
Regards,
Georgi


cXfZ4wS.png


#11 2d2f

2d2f
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 01 April 2014 - 05:52 PM

Tnx

Attached Files



#12 2d2f

2d2f
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 01 April 2014 - 05:54 PM

Going to get some sleep

Good night.



#13 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:10 PM

Posted 01 April 2014 - 06:02 PM

Hello,

 

Yeah, I need some sleep as well! I'll catch you tomorrow. :)

 

It seems that the script did its job! Also if you don't mind, I want to make sure there is nothing lurking on the system so just in case I want you to go through these steps tomorrow:

 

The most of them should take no more than 5 minutes each (but the time they take to complete can vary depending on the size of your hard and the speed of your computer).

 

 

STEP 1

 

 

  • Please download RKill by Grinler from the link below and save it to your desktop.

    Rkill
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log.
  • Please post the log in your next reply.

 

 

STEP 2

 

 

  • Please download RogueKiller.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 3
 

 

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
     
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
     
  • Click the Start Scan button.
     
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 4

 

 

Please download Malwarebytes Anti-Malware to your desktop.
 

  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Settings tab > Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may see this message box.
    • 'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

 

STEP 5

 

 

1.Please download HitmanPro.

  • For 32-bit Operating System - dEMD6.gif.
  • This is the mirror - dEMD6.gif
  • For 64-bit Operating System - dEMD6.gif
  • This is the mirror - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
 
8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.
 
Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

Navigate to C:\ProgramData\HitmanPro\Logs open the report and copy and paste it to your next reply.

 

 

 

STEP 6

 

 

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

and then if there aren't any issues left I'll give you my final recommendations. :)

 

 

Regards,

Georgi


cXfZ4wS.png


#14 2d2f

2d2f
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 03 April 2014 - 08:08 AM

 

Rkill 2.6.5 by Lawrence Abrams (Grinler)

Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 04/04/2014 03:11:30 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 2
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Reparse Point/Junctions Found (Most likely legitimate)!
 
     * C:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a => C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492 [Dir]
     * C:\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35 => C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5 [Dir]
 
Checking Windows Service Integrity: 
 
 * No issues found.
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
  127.0.0.1       localhost
 
Program finished at: 04/04/2014 03:12:34 PM
Execution time: 0 hours(s), 1 minute(s), and 3 seconds(s)
 


#15 2d2f

2d2f
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 03 April 2014 - 08:17 AM

Rogue





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users