Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pc infected byTrojan cutu.exe


  • This topic is locked This topic is locked
19 replies to this topic

#1 lwashere

lwashere

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 10 May 2014 - 02:36 PM

Hi there

 

Sorry im newbie and im posting this too fast because i dont know where i need to go. I just check in Task manager and found out that there something suspicous exe running without my permissions.

 

So i have search in location path and its in " C:\Users\User\AppData\Local\Temp\Odjye\cutu.exe " . I have tried running Hijackthis and try fixing by remove in Safe mode but unable to because of the permission

 

Current situation is this virus have

- disabled all my USB and device such as Cd rom as i checked in Device manager

-disable windows update

-disable any download software(virus removal)

 

I have tried

- search in google by keywords " cutu.exe " but only have cute.exe article and all solution have been disabled.

- run kaspersky ( for sure failed)

-  crying a lot.

 

 

Please help since you all are good in fixing this thing :'( .Sorry since English is not my native english

 

Really appreciate your helps :'(

 

Here I attached DDS report

Attached Files

  • Attached File  DDS.txt   18.77KB   2 downloads

Edited by lwashere, 10 May 2014 - 03:04 PM.


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:04:18 PM

Posted 10 May 2014 - 03:20 PM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download the latest version of Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer. Make sure that Addition.txt is ticked as well.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

 

You probably have Necurs rootkit:

 

2014-05-08 07:11:39    70656    ----a-w-    c:\windows\system32\axoleoyt.exe
2014-05-08 07:03:19    57216    ----a-w-    c:\windows\system32\drivers\d98facd533efe507.sys

 

 

Regards,

Georgi


cXfZ4wS.png


#3 lwashere

lwashere
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 10 May 2014 - 11:34 PM

Hi Georgi

 

Thanks for replying.

 

 

Below is the logs for FRST.txt

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:11-05-2014
Ran by User (administrator) on ALIF-LAPTOP on 11-05-2014 12:28:51
Running from C:\Users\User\Downloads
Platform: Microsoft Windows 7 Professional  Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Hewlett-Packard Company) C:\Windows\System32\hpservice.exe
(Kaspersky Lab) C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe
(Kaspersky Lab ZAO) C:\Program Files\Kaspersky Lab\NetworkAgent 8\klnagent.exe
() C:\AppServ\MySQL\bin\mysqld-nt.exe
() C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe
(Kaspersky Lab ZAO) C:\Program Files\Kaspersky Lab\NetworkAgent 8\klnagent.exe
(Microsoft Corporation) C:\Windows\System32\FXSSVC.exe
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Adobe Systems Inc.) C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
(Kaspersky Lab) C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Valve Corporation) C:\Program Files\Steam\Steam.exe
(Google Inc.) C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe
() C:\Program Files\Qlock\qlock.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(OldTimer Tools) C:\Users\User\Downloads\OTC.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [] => [X]
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [249064 2010-10-29] (Sun Microsystems, Inc.)
HKLM\...\Run: [Acrobat Assistant 7.0] => C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [483328 2008-04-23] (Adobe Systems Inc.)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM\...\Run: [AVP] => C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe [311680 2010-03-12] (Kaspersky Lab)
HKLM\...\Policies\Explorer: [NoDriveTypeAutoRun_KL_notset] 1
HKU\.DEFAULT\...\RunOnce: [SPReview] - C:\Windows\System32\SPReview\SPReview.exe [280576 2013-03-21] (Microsoft Corporation)
HKU\S-1-5-21-3304836376-871355215-2393797171-1000\...\Run: [Google Update] => C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2013-12-07] (Google Inc.)
HKU\S-1-5-21-3304836376-871355215-2393797171-1000\...\Run: [Steam] => C:\Program Files\Steam\steam.exe [1775808 2014-05-10] (Valve Corporation)
HKU\S-1-5-21-3304836376-871355215-2393797171-1000\...\Run: [Google Update*] => [X] <===== ATTENTION (ZeroAccess rootkit hidden path)
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1.0fo\adialhk.dll => C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\adialhk.dll [85080 2011-05-21] (Kaspersky Lab ZAO)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
ShortcutTarget: Adobe Acrobat Speed Launcher.lnk -> C:\Windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe ()
Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qlock.lnk
ShortcutTarget: qlock.lnk -> C:\Program Files\Qlock\qlock.exe ()

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://malaysia.msn.com/?rd=1&ucc=MY&dcc=MY&opt=0&ocid=iehp&tc=1
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x692C770694B8CD01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - DefaultScope {F9CD8915-B741-4D63-B97C-ADFC5BB8E9F7} URL = http://blekko.com/ws/?source=e0c8d0ad&tbp=rbox&u=40f1c03f000000000000002186da6f3f&q={searchTerms}&r=720
SearchScopes: HKCU - {F9CD8915-B741-4D63-B97C-ADFC5BB8E9F7} URL = http://blekko.com/ws/?source=e0c8d0ad&tbp=rbox&u=40f1c03f000000000000002186da6f3f&q={searchTerms}&r=720
BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO: Lync Browser Helper - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL (Microsoft Corporation)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{0941CDBA-B1D8-4D31-BF4D-B6FCD8A3D38E}: [NameServer]8.8.8.8,8.8.4.4

FireFox:
========
FF ProfilePath: C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\pxnuhsl6.default-1390963190804
FF user.js: detected! => C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\pxnuhsl6.default-1390963190804\user.js
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_13_0_0_206.dll ()
FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @microsoft.com/Lync,version=15.0 - C:\Program Files\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=6.0.11.2852 - C:\Program Files\Real Alternative\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nppl3260;version=6.0.12.46 - C:\Program Files\Real Alternative\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpjplug;version=6.0.12.1662 - C:\Program Files\Real Alternative\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpjplug;version=6.0.12.46 - C:\Program Files\Real Alternative\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @talk.google.com/GoogleTalkPlugin - C:\Users\User\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin HKCU: @talk.google.com/O1DPlugin - C:\Users\User\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)
FF Plugin HKCU: @talk.google.com/O3DPlugin - C:\Users\User\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\User\AppData\Local\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\User\AppData\Local\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npMeetingJoinPluginOC.dll (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppl3260.dll (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\User\AppData\Roaming\mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\User\AppData\Roaming\mozilla\plugins\npgtpo3dautoplugin.dll ()
FF Plugin ProgramFiles/Appdata: C:\Users\User\AppData\Roaming\mozilla\plugins\npo1d.dll (Google)
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\amazon-en-GB.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\chambers-en-GB.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\eBay-en-GB.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\yahoo-en-GB.xml
FF Extension: YoutubeAdblocker - C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\pxnuhsl6.default-1390963190804\Extensions\b-5yjdc5@lpnhajdwkp.net [2014-03-18]
FF Extension: safeweeb - C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\pxnuhsl6.default-1390963190804\Extensions\mz0gueo@xceafsc.edu [2014-03-18]
FF Extension: Firebug - C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\pxnuhsl6.default-1390963190804\Extensions\firebug@software.joehewitt.com.xpi [2014-05-08]
FF Extension: User Agent Switcher - C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\pxnuhsl6.default-1390963190804\Extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}.xpi [2014-04-02]

Chrome:
=======
CHR Extension: (User-Agent Switcher for Chrome) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\djflhoibgkdhkhhcedjiklpkjnoahfmg [2014-04-02]
CHR Extension: (Google Wallet) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-04]
CHR HKLM\...\Chrome\Extension: [egnimkioipookhfihpljiedpgjffibpa] - C:\Program Files (x86)\MyBrowserCash\MBC_chrome.crx [2013-09-04]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

========================== Services (Whitelisted) =================

Locked "d98facd533efe507" service could not be unlocked. <===== ATTENTION

S4 Apache2.2; C:\AppServ\Apache2.2\bin\httpd.exe [24635 2008-01-18] (Apache Software Foundation)
R2 AVP; C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe [311680 2010-03-12] (Kaspersky Lab)
R2 klnagent; C:\Program Files\Kaspersky Lab\NetworkAgent 8\klnagent.exe [141688 2010-10-20] (Kaspersky Lab ZAO)
R2 mysql; C:\AppServ\MySQL\my.ini [9573 2013-08-26] ()
R2 PassThru Service; C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe [167424 2012-12-07] ()
U4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] ()

==================== Drivers (Whitelisted) ====================

S3 KLFLTDEV; C:\Windows\System32\DRIVERS\klfltdev.sys [24848 2009-09-03] (Kaspersky Lab)
S1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [22104 2011-05-21] (Kaspersky Lab ZAO)
S3 massfilter; C:\Windows\System32\drivers\massfilter.sys [9216 2010-06-03] (MBB Incorporated)
S3 USB_RNDIS; C:\Windows\System32\DRIVERS\usb8023.sys [15872 2013-02-12] (Microsoft Corporation)
S3 vncmirror; C:\Windows\System32\DRIVERS\vncmirror.sys [4608 2013-12-06] (RealVNC Ltd.)
R0 Wdf01000; C:\Windows\System32\drivers\Wdf01000.sys [527064 2013-06-26] ()
R1 WfpLwf; C:\Windows\System32\DRIVERS\wfplwf.sys [9728 2009-07-14] ()
S3 WIMMount; C:\Windows\System32\drivers\wimmount.sys [19008 2009-07-14] ()
S3 WinUsb; C:\Windows\System32\DRIVERS\WinUsb.sys [35968 2010-11-20] ()
R3 WmiAcpi; C:\Windows\system32\drivers\wmiacpi.sys [11264 2009-07-14] ()
S4 ws2ifsl; C:\Windows\system32\drivers\ws2ifsl.sys [16384 2009-07-14] ()
S3 WudfPf; C:\Windows\System32\drivers\WudfPf.sys [66560 2012-07-26] ()
S3 WUDFRd; C:\Windows\System32\DRIVERS\WUDFRd.sys [155136 2012-07-26] ()
R3 yukonw7; C:\Windows\System32\DRIVERS\yk62x86.sys [315392 2009-09-28] ()
S3 ZTEusbmdm6k; C:\Windows\System32\DRIVERS\ZTEusbmdm6k.sys [105088 2010-05-19] ()
S3 ZTEusbnmea; C:\Windows\System32\DRIVERS\ZTEusbnmea.sys [105088 2010-05-19] ()
S3 ZTEusbser6k; C:\Windows\System32\DRIVERS\ZTEusbser6k.sys [105088 2010-05-19] ()
U5 d98facd533efe507; C:\Windows\System32\Drivers\d98facd533efe507.sys [57216 2014-05-08] () <===== ATTENTION Necurs Rootkit?
U5 klif; C:\Windows\System32\Drivers\klif.sys [233560 2013-12-25] (Kaspersky Lab)
U5 UnlockerDriver5; D:\sql\Unlocker\UnlockerDriver5.sys [4096 2010-07-05] ()

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-05-11 12:28 - 2014-05-11 12:29 - 00013549 _____ () C:\Users\User\Downloads\FRST.txt
2014-05-11 12:28 - 2014-05-11 12:28 - 00000000 ____D () C:\FRST
2014-05-11 12:27 - 2014-05-11 12:28 - 01055232 _____ (Farbar) C:\Users\User\Downloads\FRST.exe
2014-05-11 04:10 - 2014-05-11 04:10 - 00201728 _____ (OldTimer Tools) C:\Users\User\Downloads\OTC.exe
2014-05-11 03:47 - 2014-05-11 03:47 - 00020545 _____ () C:\Users\User\Desktop\attach.txt
2014-05-11 03:46 - 2014-05-11 03:47 - 00688992 ____R (Swearware) C:\Users\User\Downloads\dds(1).com
2014-05-11 03:10 - 2014-05-11 03:15 - 00041859 _____ () C:\Users\User\Downloads\Addition.txt
2014-05-10 21:34 - 2014-05-10 21:34 - 00000797 _____ () C:\Users\User\Desktop\Advanced SystemCare Installer.lnk
2014-05-10 21:27 - 2014-05-10 21:34 - 04204709 _____ (IObit ) C:\Users\User\Downloads\driver_booster_setup.exe.part
2014-05-10 21:27 - 2014-05-10 21:27 - 00000000 ____D () C:\Users\User\AppData\Roaming\IObit
2014-05-10 21:27 - 2014-05-10 21:27 - 00000000 ____D () C:\ProgramData\IObit
2014-05-10 21:27 - 2014-05-10 21:27 - 00000000 ____D () C:\Program Files\IObit
2014-05-10 21:26 - 2014-05-10 21:27 - 01055040 _____ (IObit) C:\Users\User\Downloads\advanced-systemcare-installer.exe
2014-05-10 21:21 - 2014-05-10 21:21 - 00000000 ____D () C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Unlocker
2014-05-10 21:20 - 2014-05-10 21:21 - 01078591 _____ () C:\Users\User\Downloads\Unlocker1.9.2.exe
2014-05-10 21:14 - 2014-05-10 21:14 - 00347816 _____ (Microsoft Corporation) C:\Users\User\Downloads\MicrosoftFixit.Devices.Run.exe
2014-05-10 21:12 - 2014-05-10 21:12 - 00728960 _____ (Enigma Software Group USA, LLC.) C:\Users\User\Downloads\SpyHunter-Installer.exe
2014-05-10 21:05 - 2014-05-11 12:25 - 00000504 _____ () C:\Windows\setupact.log
2014-05-10 21:05 - 2014-05-10 21:05 - 00000000 _____ () C:\Windows\setuperr.log
2014-05-10 20:39 - 2014-05-10 20:39 - 00002959 _____ () C:\Users\User\Desktop\HiJackThis.lnk
2014-05-10 20:39 - 2014-05-10 20:39 - 00000000 ____D () C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
2014-05-10 20:39 - 2014-05-10 20:39 - 00000000 ____D () C:\Program Files\Trend Micro
2014-05-10 01:46 - 2014-05-10 21:07 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-05-08 15:11 - 2014-05-09 13:52 - 00070656 _____ () C:\Windows\system32\axoleoyt.exe
2014-05-08 15:03 - 2014-05-08 15:03 - 00057216 _____ () C:\Windows\system32\Drivers\d98facd533efe507.sys
2014-05-05 17:02 - 2014-05-05 17:03 - 00000000 ____D () C:\Users\User\Desktop\JA-Sugite
2014-05-05 16:14 - 2014-05-05 16:14 - 00000000 ____D () C:\Windows\system32\1033
2014-05-05 16:02 - 2014-05-05 16:02 - 00000000 ____D () C:\Users\User\AppData\Local\Microsoft_Corporation
2014-05-05 15:51 - 2014-05-05 15:51 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft SQL Server 2005
2014-04-24 15:34 - 2014-04-24 15:35 - 06307434 _____ () C:\Users\User\Documents\P2144_EraFM_Johara2014_30sec_BM_SD_WM.mp4
2014-04-24 07:55 - 2011-06-10 13:48 - 00148200 _____ () C:\Users\User\Desktop\pure-wordpress.2011-06-10.xml
2014-04-24 07:49 - 2014-04-22 23:53 - 00801543 _____ () C:\Users\User\Desktop\sample-data.xml
2014-04-16 23:34 - 2014-04-16 23:34 - 00000000 ____D () C:\Users\User\AppData\Roaming\Real
2014-04-16 23:34 - 2014-04-16 23:34 - 00000000 ____D () C:\Users\User\AppData\Local\Real
2014-04-16 23:34 - 2014-04-16 23:34 - 00000000 ____D () C:\ProgramData\Real
2014-04-16 23:34 - 2014-04-16 23:34 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Real Alternative
2014-04-16 23:34 - 2014-04-16 23:34 - 00000000 ____D () C:\Program Files\Real Alternative
2014-04-16 23:34 - 2008-04-28 11:00 - 00278528 _____ (Real Networks, Inc) C:\Windows\system32\pncrt.dll
2014-04-16 23:34 - 2008-04-28 11:00 - 00185944 _____ (RealNetworks, Inc.) C:\Windows\system32\rmoc3260.dll
2014-04-16 23:34 - 2008-04-28 11:00 - 00006656 _____ (RealNetworks, Inc.) C:\Windows\system32\pndx5016.dll
2014-04-16 23:34 - 2008-04-28 11:00 - 00005632 _____ (RealNetworks, Inc.) C:\Windows\system32\pndx5032.dll
2014-04-12 00:35 - 2014-03-21 12:00 - 00345114 _____ () C:\Users\User\Desktop\bookyourtravel.sample.xml

==================== One Month Modified Files and Folders =======

2014-05-11 13:38 - 2009-07-14 10:37 - 00000000 ____D () C:\Windows\system32\LogFiles
2014-05-11 12:29 - 2014-05-11 12:28 - 00013549 _____ () C:\Users\User\Downloads\FRST.txt
2014-05-11 12:28 - 2014-05-11 12:28 - 00000000 ____D () C:\FRST
2014-05-11 12:28 - 2014-05-11 12:27 - 01055232 _____ (Farbar) C:\Users\User\Downloads\FRST.exe
2014-05-11 12:26 - 2009-07-14 12:34 - 00021264 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-05-11 12:26 - 2009-07-14 12:34 - 00021264 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-05-11 12:25 - 2014-05-10 21:05 - 00000504 _____ () C:\Windows\setupact.log
2014-05-11 12:25 - 2014-02-20 05:26 - 00000904 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3304836376-871355215-2393797171-1000UA.job
2014-05-11 12:25 - 2012-11-02 09:43 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-05-11 12:25 - 2012-11-02 09:18 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-05-11 11:16 - 2014-02-20 05:26 - 00000852 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3304836376-871355215-2393797171-1000Core.job
2014-05-11 04:10 - 2014-05-11 04:10 - 00201728 _____ (OldTimer Tools) C:\Users\User\Downloads\OTC.exe
2014-05-11 04:08 - 2013-10-19 20:35 - 00000000 ____D () C:\Program Files\Steam
2014-05-11 04:08 - 2012-11-02 09:18 - 00000878 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-05-11 04:08 - 2011-05-21 08:55 - 00000000 ____D () C:\ProgramData\Kaspersky Lab
2014-05-11 04:06 - 2009-07-14 12:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-05-11 04:04 - 2013-09-06 09:04 - 00000000 ____D () C:\Users\User\Desktop\Shinjiru
2014-05-11 03:52 - 2014-03-17 21:19 - 00000340 _____ () C:\Windows\Tasks\Driver Robot.job
2014-05-11 03:47 - 2014-05-11 03:47 - 00020545 _____ () C:\Users\User\Desktop\attach.txt
2014-05-11 03:47 - 2014-05-11 03:46 - 00688992 ____R (Swearware) C:\Users\User\Downloads\dds(1).com
2014-05-11 03:15 - 2014-05-11 03:10 - 00041859 _____ () C:\Users\User\Downloads\Addition.txt
2014-05-10 21:49 - 2014-03-16 20:02 - 01829322 _____ () C:\Windows\WindowsUpdate.log
2014-05-10 21:34 - 2014-05-10 21:34 - 00000797 _____ () C:\Users\User\Desktop\Advanced SystemCare Installer.lnk
2014-05-10 21:34 - 2014-05-10 21:27 - 04204709 _____ (IObit ) C:\Users\User\Downloads\driver_booster_setup.exe.part
2014-05-10 21:27 - 2014-05-10 21:27 - 00000000 ____D () C:\Users\User\AppData\Roaming\IObit
2014-05-10 21:27 - 2014-05-10 21:27 - 00000000 ____D () C:\ProgramData\IObit
2014-05-10 21:27 - 2014-05-10 21:27 - 00000000 ____D () C:\Program Files\IObit
2014-05-10 21:27 - 2014-05-10 21:26 - 01055040 _____ (IObit) C:\Users\User\Downloads\advanced-systemcare-installer.exe
2014-05-10 21:21 - 2014-05-10 21:21 - 00000000 ____D () C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Unlocker
2014-05-10 21:21 - 2014-05-10 21:20 - 01078591 _____ () C:\Users\User\Downloads\Unlocker1.9.2.exe
2014-05-10 21:14 - 2014-05-10 21:14 - 00347816 _____ (Microsoft Corporation) C:\Users\User\Downloads\MicrosoftFixit.Devices.Run.exe
2014-05-10 21:12 - 2014-05-10 21:12 - 00728960 _____ (Enigma Software Group USA, LLC.) C:\Users\User\Downloads\SpyHunter-Installer.exe
2014-05-10 21:07 - 2014-05-10 01:46 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-05-10 21:05 - 2014-05-10 21:05 - 00000000 _____ () C:\Windows\setuperr.log
2014-05-10 20:58 - 2014-03-20 15:43 - 00000904 _____ () C:\Windows\PFRO.log
2014-05-10 20:58 - 2014-03-18 01:05 - 00000000 ____D () C:\ProgramData\safewEb
2014-05-10 20:57 - 2014-03-18 01:05 - 00000000 ____D () C:\ProgramData\4de5a2705e7a4c65
2014-05-10 20:57 - 2014-03-18 01:05 - 00000000 ____D () C:\Program Files\safewEb
2014-05-10 20:54 - 2014-01-09 01:35 - 00000000 ____D () C:\Program Files\Microsoft SQL Server
2014-05-10 20:54 - 2011-05-21 12:19 - 00000000 ____D () C:\Program Files\Microsoft.NET
2014-05-10 20:52 - 2013-09-06 08:30 - 00000000 ____D () C:\Windows\Minidump
2014-05-10 20:39 - 2014-05-10 20:39 - 00002959 _____ () C:\Users\User\Desktop\HiJackThis.lnk
2014-05-10 20:39 - 2014-05-10 20:39 - 00000000 ____D () C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
2014-05-10 20:39 - 2014-05-10 20:39 - 00000000 ____D () C:\Program Files\Trend Micro
2014-05-09 16:43 - 2011-05-21 08:17 - 00005758 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-05-09 13:52 - 2014-05-08 15:11 - 00070656 _____ () C:\Windows\system32\axoleoyt.exe
2014-05-08 20:09 - 2013-09-03 10:56 - 00000000 ____D () C:\Users\User\Documents\Outlook Files
2014-05-08 20:07 - 2013-09-11 11:26 - 00000600 _____ () C:\Users\User\AppData\Local\PUTTY.RND
2014-05-08 18:24 - 2014-03-20 20:09 - 00002012 ____H () C:\Users\User\Documents\Default.rdp
2014-05-08 15:10 - 2013-09-03 12:37 - 00000000 ____D () C:\Users\User\AppData\Roaming\Skype
2014-05-08 15:03 - 2014-05-08 15:03 - 00057216 _____ () C:\Windows\system32\Drivers\d98facd533efe507.sys
2014-05-07 19:30 - 2013-09-05 10:38 - 00000000 ____D () C:\Users\User\AppData\Roaming\FileZilla
2014-05-05 17:03 - 2014-05-05 17:02 - 00000000 ____D () C:\Users\User\Desktop\JA-Sugite
2014-05-05 16:53 - 2009-07-14 10:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-05-05 16:14 - 2014-05-05 16:14 - 00000000 ____D () C:\Windows\system32\1033
2014-05-05 16:02 - 2014-05-05 16:02 - 00000000 ____D () C:\Users\User\AppData\Local\Microsoft_Corporation
2014-05-05 15:54 - 2014-01-09 01:38 - 00000000 ____D () C:\Users\User\Documents\SQL Server Management Studio Express
2014-05-05 15:52 - 2011-05-21 09:08 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-05-05 15:51 - 2014-05-05 15:51 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft SQL Server 2005
2014-05-05 15:50 - 2009-07-14 10:37 - 00000000 ____D () C:\Program Files\Common Files\microsoft shared
2014-05-01 21:39 - 2009-07-14 10:37 - 00000000 ____D () C:\Windows\system32\NDF
2014-04-29 12:04 - 2012-11-02 09:43 - 00692400 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-04-29 12:04 - 2012-11-02 09:43 - 00070832 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-04-24 15:35 - 2014-04-24 15:34 - 06307434 _____ () C:\Users\User\Documents\P2144_EraFM_Johara2014_30sec_BM_SD_WM.mp4
2014-04-23 22:18 - 2013-04-30 23:55 - 00000000 ____D () C:\Users\User\AppData\Roaming\vlc
2014-04-22 23:53 - 2014-04-24 07:49 - 00801543 _____ () C:\Users\User\Desktop\sample-data.xml
2014-04-17 23:03 - 2013-09-20 03:35 - 00000000 ____D () C:\Users\User\AppData\Roaming\Media Player Classic
2014-04-16 23:34 - 2014-04-16 23:34 - 00000000 ____D () C:\Users\User\AppData\Roaming\Real
2014-04-16 23:34 - 2014-04-16 23:34 - 00000000 ____D () C:\Users\User\AppData\Local\Real
2014-04-16 23:34 - 2014-04-16 23:34 - 00000000 ____D () C:\ProgramData\Real
2014-04-16 23:34 - 2014-04-16 23:34 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Real Alternative
2014-04-16 23:34 - 2014-04-16 23:34 - 00000000 ____D () C:\Program Files\Real Alternative
ZeroAccess:
C:\Users\User\AppData\Local\Google\Desktop\Install
ZeroAccess:
C:\Program Files\Google\Desktop\Install

Some content of TEMP:
====================
C:\Users\User\AppData\Local\Temp\SHSetup.exe
C:\Users\User\AppData\Local\Temp\surec.exe


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\system32\winlogon.exe => MD5 is legit
C:\Windows\system32\wininit.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\services.exe => MD5 is legit
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
C:\Windows\system32\Drivers\volsnap.sys
[2012-10-23 15:00] - [2010-11-20 20:30] - 0245632 ____A () D41D8CD98F00B204E9800998ECF8427E

C:\Windows\system32\Drivers\volsnap.sys No Company Name <===== ATTENTION!

ATTENTION: ====> ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender


LastRegBack: 2014-05-10 03:32

==================== End Of Log ============================

 

 

And I also have attached Addition.txt for your reviews

 

Thanks

Attached Files


Edited by lwashere, 10 May 2014 - 11:56 PM.


#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:04:18 PM

Posted 11 May 2014 - 06:07 AM

Hi,

 

 

Аs I thought you have Necurs and ZeroAccess rootkits on board. Here is my general warning for you:

 

 

IMPORTANT NOTE: One or more of the identified infections is related to the rootkit Necurs and to the rootkit ZeroAccess Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used be the attacker for malicious purposes. Rootkits are used be Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:

If your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

 

 

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to continue please the following:

 

 

Next please download ESETNecursRemover.exe and save it to your desktop.

Double-click on ESETNecursRemover.exe and click on the Agree button.
If you see the message: "Win32Necurs was found active on your system, do you want to perform cleaning" => choose YES.
Next you will see the message: "Do you want to restart the computer now (required)". => choose YES.

When done post the log (it will be created in the same folder you ran the tool from).

 

 

Regards,

Georgi


cXfZ4wS.png


#5 lwashere

lwashere
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 11 May 2014 - 11:09 AM

Hi Georgi!

 

I have runned the files and now i able to detect USB and it seems that the Virus have been infected.

 

Here the log by ESET

 

[2014.05.11 23:55:51.349] -
[2014.05.11 23:55:51.349] -     ....................................
[2014.05.11 23:55:51.350] -   ..::::::::::::::::::....................
[2014.05.11 23:55:51.358] -   .::EEEEEE:::SSSSSS::..EEEEEE..TTTTTTTT..    Win32/Necurs
[2014.05.11 23:55:51.360] -  .::EE::::EE:SS:::::::.EE....EE....TT......   Version: 2.1.0.2
[2014.05.11 23:55:51.362] -  .::EEEEEEEE::SSSSSS::.EEEEEEEE....TT......   Built: Apr 28 2014
[2014.05.11 23:55:51.363] -  .::EE:::::::::::::SS:.EE..........TT......
[2014.05.11 23:55:51.365] -   .::EEEEEE:::SSSSSS::..EEEEEE.....TT.....    Copyright © ESET, spol. s r.o.
[2014.05.11 23:55:51.366] -   ..::::::::::::::::::....................    1992-2013. All rights reserved.
[2014.05.11 23:55:51.367] -     ....................................
[2014.05.11 23:55:51.367] -
[2014.05.11 23:55:51.367] - --------------------------------------------------------------------------------
[2014.05.11 23:55:51.367] -
[2014.05.11 23:55:51.374] - INFO: OS: 6.1.7601 SP1
[2014.05.11 23:55:51.375] - INFO: Product Type: Workstation
[2014.05.11 23:55:51.375] - INFO: WoW64: False
[2014.05.11 23:55:51.376] - INFO: Machine guid: B1DD848F-D2B7-417B-8E6F-2CAF7B4DB3B3
[2014.05.11 23:55:51.376] -
[2014.05.11 23:55:53.111] - INFO: Scanning for system infection...
[2014.05.11 23:55:53.112] - --------------------------------------------------------------------------------
[2014.05.11 23:55:53.117] -
[2014.05.11 23:55:53.120] - INFO: Found suspicious service - d98facd533efe507
[2014.05.11 23:55:53.666] - INFO: INF_NCFMND01 - 0xC0000022... [null.sys]
[2014.05.11 23:55:53.666] - INFO: Rootkit's service key - d98facd533efe507
[2014.05.11 23:55:53.666] - INFO: Rootkit's path - \SystemRoot\System32\Drivers\d98facd533efe507.sys
[2014.05.11 23:55:53.666] - INFO: Win32/Necurs found
[2014.05.11 23:55:58.119] - INFO: INF_NCCRK03 - 1 - 2...
[2014.05.11 23:55:58.120] - INFO: INF_NCCRK03 - 1 - 2...
[2014.05.11 23:55:58.140] - INFO: INF_NCCRK04 - 1 - ...
[2014.05.11 23:56:09.344] - INFO: Cleaning status: 2
[2014.05.11 23:57:54.300] -
[2014.05.11 23:57:54.300] - --------------------------------------------------------------------------------
[2014.05.11 23:57:54.301] - INFO: System is rebooting...
[2014.05.11 23:57:54.393] - --------------------------------------------------------------------------------
[2014.05.11 23:57:54.393] - INFO: Logging finished successfully...
[2014.05.11 23:57:54.393] - --------------------------------------------------------------------------------
 

 

 

However, I noticed that There still some unknown exe in my temp folder  and i unable to remove it even from safe mode because i do not have any permission to.

 

Even now i able to update windows and antivirus.

 

Really glad that you help me... dont know how to express my gratitude ^^



#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:04:18 PM

Posted 11 May 2014 - 01:54 PM

Hi,

 

We are not done yet. :)

 

Please download the latest version of FRST from the link above (make sure that Addition.txt is checked) and run a new scan and then post both logs in your next reply. :)

 

 

Regards,

Georgi


cXfZ4wS.png


#7 lwashere

lwashere
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 12 May 2014 - 05:51 AM

hi georgi!

 

sorry for late reply,

 

i have run and below is the log for your references.

 

i found exe files in my temp folder.

 

C:\Users\User\AppData\Local\Temp\SHSetup.exe
C:\Users\User\AppData\Local\Temp\surec.exe

 

may i remove it?

 

Thanks in advance! :)

Attached Files



#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:04:18 PM

Posted 13 May 2014 - 03:00 AM

Sure...but can you please zip them and upload the archive to my channel => http://www.bleepingcomputer.com/submit-malware.php?channel=122 so I can examine the files and submit to antivirus companies if needed? :)

Zip and submit this file as well (C:\Windows\system32\axoleoyt.exe). Thanks!

 

 
Next please download the following file => and save it to the folder where FRST is stored (in your case C:\Users\User\Downloads).
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

 

Regards,

Georgi


cXfZ4wS.png


#9 lwashere

lwashere
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 13 May 2014 - 06:33 AM

Dear Georgi!

 

I have run FRST and below is the fixlog.

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:11-05-2014 01
Ran by User at 2014-05-13 19:28:39 Run:1
Running from C:\Users\User\Downloads
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
HKLM\...\Run: [] => [X]
HKU\S-1-5-21-3304836376-871355215-2393797171-1000\...\Run: [Google Update*] => [X] <===== ATTENTION (ZeroAccess rootkit hidden path)
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - DefaultScope {F9CD8915-B741-4D63-B97C-ADFC5BB8E9F7} URL = http://blekko.com/ws/?source=e0c8d0ad&tbp=rbox&u=40f1c03f000000000000002186da6f3f&q={searchTerms}&r=720
SearchScopes: HKCU - {F9CD8915-B741-4D63-B97C-ADFC5BB8E9F7} URL = http://blekko.com/ws/?source=e0c8d0ad&tbp=rbox&u=40f1c03f000000000000002186da6f3f&q={searchTerms}&r=720
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FF Extension: YoutubeAdblocker - C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\pxnuhsl6.default-1390963190804\Extensions\b-5yjdc5@lpnhajdwkp.net [2014-03-18]
FF Extension: safeweeb - C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\pxnuhsl6.default-1390963190804\Extensions\mz0gueo@xceafsc.edu [2014-03-18]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
2014-05-10 20:58 - 2014-03-18 01:05 - 00000000 ____D () C:\ProgramData\safewEb
2014-05-10 20:57 - 2014-03-18 01:05 - 00000000 ____D () C:\ProgramData\4de5a2705e7a4c65
2014-05-10 20:57 - 2014-03-18 01:05 - 00000000 ____D () C:\Program Files\safewEb
2014-05-09 13:52 - 2014-05-08 15:11 - 00070656 _____ () C:\Windows\system32\axoleoyt.exe
C:\Users\User\AppData\Local\Google\Desktop\Install
C:\Program Files\Google\Desktop\Install
C:\Users\User\AppData\Local\Temp\SHSetup.exe
C:\Users\User\AppData\Local\Temp\surec.exe
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
cmd: Dir /s /a:l C:\Windows\*
cmd: netsh winsock reset catalog
cmd: ipconfig /flushdns
end
*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.
HKU\S-1-5-21-3304836376-871355215-2393797171-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{F9CD8915-B741-4D63-B97C-ADFC5BB8E9F7} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{F9CD8915-B741-4D63-B97C-ADFC5BB8E9F7} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Value deleted successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Key not found.
C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\pxnuhsl6.default-1390963190804\Extensions\b-5yjdc5@lpnhajdwkp.net => Moved successfully.
C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\pxnuhsl6.default-1390963190804\Extensions\mz0gueo@xceafsc.edu => Moved successfully.
HKLM\SOFTWARE\Policies\Google => Key deleted successfully.
C:\ProgramData\safewEb => Moved successfully.
C:\ProgramData\4de5a2705e7a4c65 => Moved successfully.
C:\Program Files\safewEb => Moved successfully.
C:\Windows\system32\axoleoyt.exe => Moved successfully.
C:\Users\User\AppData\Local\Google\Desktop\Install => Moved successfully.
C:\Program Files\Google\Desktop\Install => Moved successfully.
C:\Users\User\AppData\Local\Temp\SHSetup.exe => Moved successfully.
C:\Users\User\AppData\Local\Temp\surec.exe => Moved successfully.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
"C:\Program Files\Windows Defender\en-US" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpAsDesc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpClient.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCmdRun.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCommu.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpEvMsg.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpOAV.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpRTP.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSvc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MSASCui.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpCom.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpLics.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.

=========  Dir /s /a:l C:\Windows\* =========

 Volume in drive C has no label.
 Volume Serial Number is 40F1-C03F

 Directory of C:\Windows\winsxs\x86_security-malware-windows-defender-events_31bf3856ad364e35_6.1.7600.16385_none_b56e56591cecccb4

07/14/2009  09:06 AM    <SYMLINK>      MpEvMsg.dll [...]
               1 File(s)         52,224 bytes

 Directory of C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.16385_none_579306edb982ae36

07/14/2009  09:15 AM    <SYMLINK>      MpAsDesc.dll [...]
07/14/2009  09:14 AM    <SYMLINK>      MpCmdRun.exe [...]
07/14/2009  09:15 AM    <SYMLINK>      MpOAV.dll [...]
07/14/2009  09:15 AM    <SYMLINK>      MpRTP.dll [...]
07/14/2009  09:14 AM    <SYMLINK>      MSASCui.exe [...]
07/14/2009  09:07 AM    <SYMLINK>      MsMpLics.dll [...]
07/14/2009  09:15 AM    <SYMLINK>      MsMpRes.dll [...]
               7 File(s)      1,526,784 bytes

 Directory of C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.17316_none_57df9fe3b9491d97

07/14/2009  09:15 AM    <SYMLINK>      MpAsDesc.dll [...]
07/14/2009  09:14 AM    <SYMLINK>      MpCmdRun.exe [...]
07/14/2009  09:15 AM    <SYMLINK>      MpOAV.dll [...]
07/14/2009  09:15 AM    <SYMLINK>      MpRTP.dll [...]
07/14/2009  09:14 AM    <SYMLINK>      MSASCui.exe [...]
07/14/2009  09:07 AM    <SYMLINK>      MsMpLics.dll [...]
07/14/2009  09:15 AM    <SYMLINK>      MsMpRes.dll [...]
               7 File(s)      1,526,784 bytes

 Directory of C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.21531_none_584e9d4ad27b73b7

07/14/2009  09:15 AM    <SYMLINK>      MpAsDesc.dll [...]
07/14/2009  09:14 AM    <SYMLINK>      MpCmdRun.exe [...]
07/14/2009  09:15 AM    <SYMLINK>      MpOAV.dll [...]
07/14/2009  09:15 AM    <SYMLINK>      MpRTP.dll [...]
07/14/2009  09:14 AM    <SYMLINK>      MSASCui.exe [...]
07/14/2009  09:07 AM    <SYMLINK>      MsMpLics.dll [...]
07/14/2009  09:15 AM    <SYMLINK>      MsMpRes.dll [...]
               7 File(s)      1,526,784 bytes

 Directory of C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_59c41ab5b67131d0

07/14/2009  09:15 AM    <SYMLINK>      MpAsDesc.dll [...]
07/14/2009  09:14 AM    <SYMLINK>      MpCmdRun.exe [...]
07/14/2009  09:15 AM    <SYMLINK>      MpOAV.dll [...]
07/14/2009  09:15 AM    <SYMLINK>      MpRTP.dll [...]
07/14/2009  09:14 AM    <SYMLINK>      MSASCui.exe [...]
11/20/2010  08:19 PM    <SYMLINK>      MsMpCom.dll [...]
07/14/2009  09:07 AM    <SYMLINK>      MsMpLics.dll [...]
07/14/2009  09:15 AM    <SYMLINK>      MsMpRes.dll [...]
               8 File(s)      1,579,520 bytes

 Directory of C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.18170_none_597f1ba5b6a5991f

07/14/2009  09:15 AM    <SYMLINK>      MpAsDesc.dll [...]
05/27/2013  12:57 PM    <SYMLINK>      MpClient.dll [...]
07/14/2009  09:14 AM    <SYMLINK>      MpCmdRun.exe [...]
05/27/2013  12:57 PM    <SYMLINK>      MpCommu.dll [...]
07/14/2009  09:15 AM    <SYMLINK>      MpOAV.dll [...]
07/14/2009  09:15 AM    <SYMLINK>      MpRTP.dll [...]
05/27/2013  12:57 PM    <SYMLINK>      MpSvc.dll [...]
07/14/2009  09:14 AM    <SYMLINK>      MSASCui.exe [...]
11/20/2010  08:19 PM    <SYMLINK>      MsMpCom.dll [...]
07/14/2009  09:07 AM    <SYMLINK>      MsMpLics.dll [...]
07/14/2009  09:15 AM    <SYMLINK>      MsMpRes.dll [...]
              11 File(s)      2,877,952 bytes

 Directory of C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.22341_none_5a2a2a64cfa9fb94

07/14/2009  09:15 AM    <SYMLINK>      MpAsDesc.dll [...]
07/14/2009  09:14 AM    <SYMLINK>      MpCmdRun.exe [...]
07/14/2009  09:15 AM    <SYMLINK>      MpOAV.dll [...]
07/14/2009  09:15 AM    <SYMLINK>      MpRTP.dll [...]
07/14/2009  09:14 AM    <SYMLINK>      MSASCui.exe [...]
11/20/2010  08:19 PM    <SYMLINK>      MsMpCom.dll [...]
07/14/2009  09:07 AM    <SYMLINK>      MsMpLics.dll [...]
07/14/2009  09:15 AM    <SYMLINK>      MsMpRes.dll [...]
               8 File(s)      1,579,520 bytes

     Total Files Listed:
              49 File(s)     10,669,568 bytes
               0 Dir(s)   6,044,528,640 bytes free

========= End of CMD: =========


=========  netsh winsock reset catalog =========


Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.


========= End of CMD: =========


=========  ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


==== End of Fixlog ====

 

Thanks



#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:04:18 PM

Posted 13 May 2014 - 10:43 AM

Hello,

 

Although we managed to clean the infection I want to make sure there is nothing lurking on the system so just in case I want you to go through these steps:

 

The most of them should take no more than 5 minutes each (but the time they take to complete can vary depending on the size of your hard and the speed of your computer).

 

 

STEP 1

 

 

  • Please download RKill by Grinler from the link below and save it to your desktop.

    Rkill
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log.
  • Please post the log in your next reply.

 

 

STEP 2

 

 

  • Please download RogueKiller.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 3
 

 

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
     
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
     
  • Click the Start Scan button.
     
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 4

 

 

Please download Malwarebytes Anti-Malware to your desktop.
 

  • Double-click mbam-setup-2.0.1.1004.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Settings tab > Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may see this message box.
    • 'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

 

STEP 5

 

 

1.Please download HitmanPro.

  • For 32-bit Operating System - dEMD6.gif.
  • This is the mirror - dEMD6.gif
  • For 64-bit Operating System - dEMD6.gif
  • This is the mirror - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
 
8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.
 
Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

Navigate to C:\ProgramData\HitmanPro\Logs open the report and copy and paste it to your next reply.

 

 

 

STEP 6

 

 

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure that all options are checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 7

 

 

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

and then if there aren't any issues left I'll give you my final recommendations. :)

 

 

Regards,

Georgi


cXfZ4wS.png


#11 lwashere

lwashere
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 13 May 2014 - 12:16 PM

Hi Georgi

 

I have run as per suggested and below is the log for you references.

 

And please kindly recommend for better protection :)

 

Thanks

Attached Files



#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:04:18 PM

Posted 13 May 2014 - 01:04 PM

Hi,

 

You uploaded FRST.txt instead of FSS.txt. :)

 

 

Regards,

Georgi


cXfZ4wS.png


#13 lwashere

lwashere
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 13 May 2014 - 01:11 PM

Hi Georgi

 

Opps!!

 

here the FSS log

 

 

Farbar Service Scanner Version: 03-05-2014
Ran by User (administrator) on 14-05-2014 at 02:10:12
Running from "C:\Users\User\Downloads"
Microsoft Windows 7 Professional  Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
WAN connected
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is set to Disabled. The default start type is Auto.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

Action Center Notification Icon =====> Unable to open HKLM\...\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} key. The key does not exist.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Disabled. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2014-03-18 17:34] - [2014-03-18 17:34] - 0338944 ____A (Microsoft Corporation) F81BB7E487EDCEAB630A7EE66CF23913

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2014-03-18 17:34] - [2014-03-18 17:34] - 1294272 ____A (Microsoft Corporation) CA59F7C570AF70BC174F477CFE2D9EE3

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2013-08-14 20:36] - [2013-07-09 12:46] - 0140288 ____A (Microsoft Corporation) 7CA1BECEA5DE2643ADDAD32670E7A4C9

C:\Program Files\Windows Defender\MpSvc.dll
[2013-08-03 19:39] - [2013-05-27 12:57] - 0680960 ____A (Microsoft Corporation) 082CF481F659FAE0DE51AD060881EB47

C:\Windows\system32\ipnathlp.dll => MD5 is legit
C:\Windows\system32\iphlpsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

 

Thanks



#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:04:18 PM

Posted 14 May 2014 - 03:22 PM

Hello,

 

I am sorry about the delay. I've been busy in the last two days a lot.

 

Please re-run MBAM, update its definitions and run a new scan. Make sure that you remove the entries found this time and then post the log in your next reply.

 

Next re-run HitmanPro and post a new log as well.

 

Be sure that you delete the files you created for me:

 

C:\Users\User\Downloads\av.rar
C:\Users\User\Desktop\avirus.rar
C:\Users\User\Desktop\Temp.rar
C:\Users\User\Desktop\axoleoyt.rar

 

and then empty the Recycle Bin too.

 

Next let's try to fix the broken services.


Backup Your Registry
 

 

Now download the following files and save them to your desktop:
 

WinDefend.reg

 

wscsvc.reg

 

fix.reg

 

Now double click on each of them one by one. An information box will pop up asking if you want to merge the information in the file into the registry, click YES.

 

  • Next please download the ESET ServicesRepair utility and save it to your Desktop.
  • Double-click ServicesRepair.exe to run the ESET ServicesRepair utility.
  • If you are using User Access Control, click Run when prompted and then click Yes when asked to allow changes.
  • Reboot the computer and then please post fresh logs from the following 3 tools - RKILL, Farbar Service Scanner and SecurityCheck.

 

Note: Btw, you forgot to post the link to the TDSSKiller log as well... :)

 

 

 

Regards,

Georgi


Edited by B-boy/StyLe/, 15 May 2014 - 06:36 PM.

cXfZ4wS.png


#15 lwashere

lwashere
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 14 May 2014 - 05:25 PM

Hi Georgi

 

I unable to save log for hitman pro and for the TDSSKiller log since files is too big. I will try to upload to my hosting and provide to you later.

 

However, i have run mbytes and all the reg you suggested.

 

 

Thanks :)

 

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users