Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with ZeroAccess rootkit


  • This topic is locked This topic is locked
62 replies to this topic

#1 jlrjer

jlrjer

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:01:06 AM

Posted 20 June 2014 - 09:57 AM

Don't know how to remove it.

 

After running Norton Security Suite it told me I had w64.viknok.B!inf and the infected file was located in c:\windows\system32\sysprep\cryptbase.dll--they told me it had to be removed manually.  That's when I came to you.

 

After running several scans for you I was directed to open another top because I was infected with ZeroAccess rootkit.

 

SYMPTOMS I have noticed:

Whenever I am browsing the internet either with IE or Chrome it constantly freezes up and usually shuts down.  I also notice that the fan/processor seems to be running constantly it sounds as if it is really straining

 

DDS TXT:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 

Internet Explorer: 11.0.9600.17041  BrowserJavaVersion: 10.60.2
Run by Joan Lee at 6:25:01 on 2014-06-20
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3839.2119 [GMT -4:00]
.
AV: Norton Security Suite *Enabled/Updated* {D87FA2C0-F526-77B1-D6EC-0EDF3936CEDB}
SP: Norton Security Suite *Enabled/Updated* {631E4324-D31C-783F-EC5C-35AD42B18466}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
FW: Norton Security Suite *Enabled* {E04423E5-BF49-76E9-FDB3-A7EAC7E589A0}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Coupons\CouponPrinterService.exe
C:\Windows\SysWOW64\AsHookDevice.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Constant Guard Protection Suite\IDVaultSvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Google\Update\1.3.24.15\GoogleCrashHandler.exe
C:\Program Files (x86)\Google\Update\1.3.24.15\GoogleCrashHandler64.exe
C:\Program Files (x86)\AWS\WeatherBug\Weather.exe
C:\Program Files (x86)\Constant Guard Protection Suite\IDVault.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\PROGRA~2\Webshots\315~1.761\Webshots.scr
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files (x86)\Norton Security Suite\Norton Security Suite\Engine\21.3.0.12\N360.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Program Files (x86)\Norton Security Suite\Norton Security Suite\Engine\21.3.0.12\N360.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
c:\windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://xfinity.comcast.net/
uSearch Bar = Preserve
BHO: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - 
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Norton Security Suite\Engine\21.3.0.12\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Security Suite\Norton Security Suite\Engine\21.3.0.12\ips\ipsbho.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Constant Guard Protection Suite: {B84CDBE7-1B46-494B-A188-01D4C52DEB61} - C:\ProgramData\White Sky, Inc\ID Vault\IEBHO1.14.425.1\NativeBHO.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Norton Security Suite\Engine\21.3.0.12\coieplg.dll
uRun: [Weather] C:\Program Files (x86)\AWS\WeatherBug\Weather.exe 1
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
dRunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_9_900_170_ActiveX.exe -update activex
StartupFolder: C:\Users\JOANLE~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Webshots.lnk - C:\Program Files (x86)\Webshots\3.1.5.7619\Launcher.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\CONSTA~1.LNK - C:\Program Files (x86)\Constant Guard Protection Suite\IDVault.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {517BE9E4-0B43-4B36-95BA-AE0611546427} - hxxps://www.myonlineportraits.com/WebResource.axd?d=e5nBF0DuFXHaDbGzApNMK05zghZFAjdCQw0BeL9qYznc4uwZePew5eFR7HTbkWGK8NjsuEgcPSp5LpISpFkGleF3Aau2u5B7w_KIT65sKLS2kuATtWvIJd0zkB8aMF_KKPbuE8uKmKwa4n4qWkQ_Hn5Q8deX5YLsRBt6f0Sb5XjKdhFH0&t=634472947366061880
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{7729F973-7767-42F4-BE49-9526D56F6058} : DHCPNameServer = 192.168.1.1
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\35.0.1916.153\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Windows Live Family Safety Browser Helper Class: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
x64-BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Norton Security Suite\Engine64\21.3.0.12\coieplg.dll
x64-TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Norton Security Suite\Engine64\21.3.0.12\coieplg.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\N360x64\1503000.00C\symds64.sys [2014-6-4 493656]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\N360x64\1503000.00C\symefa64.sys [2014-6-4 1148120]
R1 BHDrvx64;BHDrvx64;C:\Program Files (x86)\Norton Security Suite\Norton Security Suite\NortonData\21.1.0.18\Definitions\BASHDefs\20140606.001\BHDrvx64.sys [2014-6-9 1530160]
R1 ccSet_N360;N360 Settings Manager;C:\Windows\System32\drivers\N360x64\1503000.00C\ccsetx64.sys [2014-6-4 162392]
R1 IDSVia64;IDSVia64;C:\Program Files (x86)\Norton Security Suite\Norton Security Suite\NortonData\21.1.0.18\Definitions\IPSDefs\20140619.001\IDSviA64.sys [2014-6-19 525016]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\N360x64\1503000.00C\ironx64.sys [2014-6-4 264280]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\N360x64\1503000.00C\symnets.sys [2014-6-4 593112]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2012-7-11 140672]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2010-7-30 203776]
R2 CouponPrinterService;Coupon Printer Service;C:\Program Files (x86)\Coupons\CouponPrinterService.exe [2014-2-13 176624]
R2 Device Handle Service;Device Handle Service;C:\Windows\SysWOW64\AsHookDevice.exe [2010-7-30 203392]
R2 IDVaultSvc;CGPS Service;C:\Program Files (x86)\Constant Guard Protection Suite\IDVaultSvc.exe [2014-4-28 41024]
R2 N360;Norton Security Suite;C:\Program Files (x86)\Norton Security Suite\Norton Security Suite\Engine\21.3.0.12\n360.exe [2014-6-4 265040]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2014-6-17 1738200]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2014-6-17 2081752]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2014-6-17 171928]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2014-6-10 142128]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-6-10 539240]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2010-11-21 38456]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\Windows\System32\drivers\viahduaa.sys [2010-7-30 1301504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2010-7-30 61280]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2009-8-5 704864]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-5-17 111616]
S3 libusb0;libusb-win32 - Kernel Driver, Version 1.2.4.0;C:\Windows\System32\drivers\libusb0.sys [2012-3-2 29184]
S3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;C:\Windows\System32\drivers\netr28x.sys [2009-6-10 620544]
S3 SWDUMon;SWDUMon;C:\Windows\System32\drivers\SWDUMon.sys [2013-6-23 16152]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-2-28 59392]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-11-22 1255736]
.
=============== Created Last 30 ================
.
2014-06-20 01:51:35 -------- d-----w- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-06-18 16:11:34 -------- d-----w- C:\FRST
2014-06-17 23:33:19 -------- d-----w- C:\ProgramData\RogueKiller
2014-06-17 20:46:38 21040 ----a-w- C:\Windows\System32\sdnclean64.exe
2014-06-17 20:46:36 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2014-06-17 20:46:30 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-06-17 20:10:03 -------- d-----w- C:\Users\Joan Lee\AppData\Local\Zemana
2014-06-17 03:59:14 -------- d-----w- C:\Users\Joan Lee\AppData\Roaming\rightbackup
2014-06-17 03:58:56 -------- d-----w- C:\Users\Joan Lee\AppData\Roaming\systweak
2014-06-16 20:14:08 122584 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-06-16 20:13:55 92888 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-06-16 20:13:55 63704 ----a-w- C:\Windows\System32\drivers\mwac.sys
2014-06-16 20:13:55 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-06-14 14:33:45 33240 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
2014-06-14 14:33:26 -------- d-----w- C:\Windows\System32\drivers\NBRTWizardx64\0600000.04A
2014-06-14 14:33:26 -------- d-----w- C:\Windows\System32\drivers\NBRTWizardx64
2014-06-14 14:33:25 -------- d-----w- C:\Program Files (x86)\Norton Bootable Recovery Tool Wizard
2014-06-14 14:08:49 -------- d-----w- C:\ProgramData\SlimWare Utilities Inc
2014-06-07 01:30:09 98216 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2014-06-07 00:49:21 -------- d-----w- C:\NPE
2014-06-04 22:07:03 593112 ----a-w- C:\Windows\System32\drivers\N360x64\1503000.00C\symnets.sys
2014-06-04 22:07:03 493656 ----a-r- C:\Windows\System32\drivers\N360x64\1503000.00C\symds64.sys
2014-06-04 22:07:03 23568 ----a-r- C:\Windows\System32\drivers\N360x64\1503000.00C\symelam.sys
2014-06-04 22:07:03 1148120 ----a-w- C:\Windows\System32\drivers\N360x64\1503000.00C\symefa64.sys
2014-06-04 22:07:02 875736 ----a-w- C:\Windows\System32\drivers\N360x64\1503000.00C\srtsp64.sys
2014-06-04 22:07:02 36952 ----a-r- C:\Windows\System32\drivers\N360x64\1503000.00C\srtspx64.sys
2014-06-04 22:07:02 264280 ----a-r- C:\Windows\System32\drivers\N360x64\1503000.00C\ironx64.sys
2014-06-04 22:07:02 162392 ----a-r- C:\Windows\System32\drivers\N360x64\1503000.00C\ccsetx64.sys
2014-06-04 22:06:31 -------- d-----w- C:\Windows\System32\drivers\N360x64\1503000.00C
.
==================== Find3M  ====================
.
2014-06-07 01:04:28 512000 ----a-w- C:\Windows\System32\rpcss.dll
2014-05-09 06:14:03 477184 ----a-w- C:\Windows\System32\aepdu.dll
2014-05-09 06:11:23 424448 ----a-w- C:\Windows\System32\aeinv.dll
2014-05-06 04:17:53 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2014-05-06 03:07:39 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-04-17 20:21:29 59 ----a-w- C:\Windows\wpd99.drv
2014-04-12 02:22:05 95680 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2014-04-12 02:22:05 155072 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2014-04-12 02:19:38 29184 ----a-w- C:\Windows\System32\sspisrv.dll
2014-04-12 02:19:38 136192 ----a-w- C:\Windows\System32\sspicli.dll
2014-04-12 02:19:37 28160 ----a-w- C:\Windows\System32\secur32.dll
2014-04-12 02:19:32 1460736 ----a-w- C:\Windows\System32\lsasrv.dll
2014-04-12 02:19:05 31232 ----a-w- C:\Windows\System32\lsass.exe
2014-04-12 02:12:06 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2014-04-12 02:10:56 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
.
============= FINISH:  6:29:26.46 ===============
 
 
I attached a zip of the attach.txt  
 

Attached Files



BC AdBot (Login to Remove)

 


#2 jlrjer

jlrjer
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:01:06 AM

Posted 20 June 2014 - 10:04 AM

Oops, I forgot to mention that my first post which was started yesterday and has my previous scans (Broni was advising me) is under  

w64.viknok.B!inf    

#3 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:06 AM

Posted 20 June 2014 - 10:43 AM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download the latest version of Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

  • Next please re-run FRST again and type the following in the edit box after Search: rpcss.dll
  • Click the Search button
  • It will make a log (Search.txt)- please post the log into your reply to me.

 

Regards,

Georgi


cXfZ4wS.png


#4 jlrjer

jlrjer
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:01:06 AM

Posted 20 June 2014 - 10:59 AM

Hi Georgi,

 

Here are the scans you requested:  

Attached Files



#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:06 AM

Posted 20 June 2014 - 02:58 PM

Hello,

 

 

Please download the following file => and save it to the C:\Users\Joan Lee\Downloads.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#6 jlrjer

jlrjer
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:01:06 AM

Posted 20 June 2014 - 04:20 PM

I just attached the fixlog.txt.   Wasn't sure if you wanted me to cut and paste it.

Attached Files



#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:06 AM

Posted 20 June 2014 - 05:22 PM

Hello,

 

Nice work!

 

1.Please download HitmanPro.

  • For 32-bit Operating System - dEMD6.gif.
  • This is the mirror - dEMD6.gif
  • For 64-bit Operating System - dEMD6.gif
  • This is the mirror - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
 
8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.
 
Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

Navigate to C:\ProgramData\HitmanPro\Logs open the report and copy and paste it to your next reply.

 

 

 

Regards,

Georgi


cXfZ4wS.png


#8 jlrjer

jlrjer
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:01:06 AM

Posted 20 June 2014 - 05:39 PM

Hi Georgi,

 

I have completed the HitmanPro scan and attached the file.

 

I really all of your help in this.  

 

Attached Files



#9 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:06 AM

Posted 20 June 2014 - 05:57 PM

Hi,

 

HitmanPro found only some potentially unwanted application and no active threats.

 

We can remove them this way:

 

Please download the following file => and save it to the C:\Users\Joan Lee\Downloads.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

Next I'd like us to scan your machine with ESET OnlineScan

 

Note: Eset could take up to an hour or even more depending on the size of your hard drive and the speed of your computer.
You can run this scan at night when you are not there and the computer is idle.


  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Run ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.
  • Check esetAcceptTerms.png
  • Click the esetStart.png button.
  • Accept any security warnings from your browser.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is  checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push esetListThreats.png
  • Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the esetBack.png button.
  • Push esetFinish.png

 

Since here it is 01:56 a.m. and I need my sleep I'll talk to you tomorrow. :)

 

 

Regards,

Georgi


cXfZ4wS.png


#10 jlrjer

jlrjer
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:01:06 AM

Posted 20 June 2014 - 11:10 PM

Hi Georgio,

 

I really appreciate how fast you have been responding back to me.

 

Here are the last 2 scan logs you requested.

 

Thanks again for your help.  Talk to you tomorrow.

Attached Files



#11 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:06 AM

Posted 21 June 2014 - 09:19 AM

Hello,

 

 

Let's remove the baddies found by Eset:

 

Please download the following file => and save it to the C:\Users\Joan Lee\Downloads.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Next please let me know how are things now.

 

 

 

Regards,

Georgi


cXfZ4wS.png


#12 jlrjer

jlrjer
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:01:06 AM

Posted 21 June 2014 - 10:43 AM

Hi,

 

At first my browser wasn't responding so I closed it out, redownloaded the fixlist.txt and made sure everything was in the same folder.  I think it worked this time.  I have attached the log.

 

Everything seems to be running smoothly.  My browser has not frozen up on me or closed out automatically.  And, the fan/processor seems to be running normally.  It is not running continuously and doesn't seem to be straining the way it used to. 

 

Hopefully all is good now!  

 

Has this cleaned out everything in my restore feature and backup files.  Should I run Norton again--this is where my original problem w64.viknok.B!inf originally showed up.

 

: )    Just want to make sure I don't do anything wrong. 

Attached Files



#13 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:06 AM

Posted 21 June 2014 - 01:32 PM

Hi,

 

It seems that the script should have worked the previous time you ran it because the entries are no longer there regarding the attached log.

 

Has this cleaned out everything in my restore feature and backup files

 

Do you mean the System Restore utility? If the answer is yes, then no. We didn't removed them but it's not needed at this point since no infected files were found in your old System Restore Points so far.

 

Should I run Norton again--this is where my original problem w64.viknok.B!inf originally showed up.

 

It worth a try but before this do the following:

 

Update Norton definitions and go into Norton's History, go into the Drop down list and choose the "Unresolved Threats" list and click the "Clear Entries" button  to remove the listings. A restart is probably required. Next run a complete system scan with it and let me know about the results. If nothing is found then watch the computer for a few days to see if anything strange happens and post back if any problems develop.  Then I'll give you my final recommendations.

 

 

Regards,

Georgi


cXfZ4wS.png


#14 jlrjer

jlrjer
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:01:06 AM

Posted 21 June 2014 - 03:50 PM

Hi Georgi,

 

I did like you said and went into Norton's history and cleared out the unresolved issues.  I restarted my computer although it didn't say anything about doing it.  After running a complete system scan it says I have 1 unresolved issue that needs manual removal and that is cryptbase.dll  threat name w64.viknok.B!linf  Now what?



#15 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:06 AM

Posted 21 June 2014 - 05:49 PM

Hi,

 

That's odd. Usually HitmanPro is able to detect it as Trojan.Win32.Rozena.rpcs

 

Here it is an example from one month ago:
 

 

> Kaspersky  . . . . : Trojan.Win32.Rozena.rpcs
      Fuzzy  . . . . . . : 101.0
      Forensic Cluster
          0.0s C:\Users\User\AppData\LocalLow\gzkazax.dll

          3.2s C:\Windows\System32\sysprep\cryptbase.dll

 

Let me check something:

 

Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users