Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Oxy/Pilefile Downloader


  • This topic is locked This topic is locked
7 replies to this topic

#1 TBongers

TBongers

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 30 July 2014 - 10:41 AM

Hello,

 

I'm having trouble removing oxy and the associated PileFile Downloader from my windows 8 computer.

Malwarebytes and other anti-malware/virus programs do not seem to detect these files or recognize them as malicious.

Manually removing them is also not possible, generates message:" action not allowed. Contact systems administrator." Even though I am the administrator.

I have tried to pick up on the topic: http://www.bleepingcomputer.com/forums/t/541843/oxy-malware/?hl=%2Boxy#entry3434849, yet it seems that I am not allowed to post a reply. 

So far I have downloaded Farbar Recover Scan Tool and created the FRST.txt file, as well as the additional.txt file. (attachment)

If necessary systems information can be added, yet this file was too big even though it was zipped.

 

Thank you in advance.

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:05:07 PM

Posted 30 July 2014 - 05:20 PM

Hi, TBongers. I'm checking your logs now and will reply with instructions soon.



#3 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:05:07 PM

Posted 30 July 2014 - 09:45 PM

First off, I want you to know that I'm still in training for malware removal and my responses have to be approved before I can post them to you, therefore there will be a little delay between each post.

 

BTW, you can't reply to the thread you mentioned because only the thread starter and Staff are allowed to reply to the threads in the Virus, Trojan, Spyware, and Malware Removal Logs board.

 

Now, please follow these steps:

1.- Download AdwCleaner by Xplode onto your Desktop.

  • Double click on Adwcleaner.exe to run the tool.
  • Click on Scan
  • Once the scan is done, click on the Clean button.
  • You will get a prompt asking to close all programs. Click OK.
  • Click OK again to reboot your computer.
  • A text file will open after the restart. Please post the content of that logfile in your reply.
  • You can also find the logfile at C:\AdwCleaner[Sn].txt.

2.- Download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Run the tool by double-clicking it.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt in your next message.

3.- Please download RogueKiller and Save to the desktop.

  • Close all windows and browsers
  • Double click on RogueKiller.exe to run the tool.
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please post it in your next reply.


#4 TBongers

TBongers
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 31 July 2014 - 08:30 AM

ADW-Report:

 

# AdwCleaner v3.302 - Report created 31/07/2014 at 15:24:23
# Updated 30/07/2014 by Xplode
# Operating System : Windows 8  (64 bits)
# Username : Toon - PCTOONBONGERS
# Running from : C:\Users\Toon\Downloads\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\AVG Secure Search
Folder Deleted : C:\ProgramData\AVG Security Toolbar
Folder Deleted : C:\ProgramData\WPM
Folder Deleted : C:\Program Files (x86)\AVG SafeGuard toolbar
Folder Deleted : C:\Program Files (x86)\Bench
Folder Deleted : C:\Program Files (x86)\globalUpdate
Folder Deleted : C:\Program Files (x86)\Optimizer Pro
Folder Deleted : C:\Program Files (x86)\predm
Folder Deleted : C:\Program Files (x86)\Common Files\337
Folder Deleted : C:\Users\Toon\AppData\Local\cool_mirage
Folder Deleted : C:\Users\Toon\AppData\Local\globalUpdate
Folder Deleted : C:\Users\Toon\AppData\Local\Temp\AtuZi
Folder Deleted : C:\Users\Toon\AppData\Local\Temp\HulaToo
Folder Deleted : C:\Users\Toon\AppData\Local\Temp\WebSpades
Folder Deleted : C:\Users\Toon\AppData\Roaming\Systweak
Folder Deleted : C:\Users\Toon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Oxy
Folder Deleted : C:\Users\Toon\Documents\Optimizer Pro
File Deleted : C:\Users\Toon\AppData\Local\Temp\Uninstall.exe
File Deleted : C:\Users\Toon\AppData\Roaming\Mozilla\Firefox\Profiles\yq94jtqk.default\user.js
 
***** [ Scheduled Tasks ] *****
 
Task Deleted : Desk 365 RunAsStdUser
Task Deleted : Oxy
Task Deleted : Windows Updater
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AdvancedSystemProtector_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AdvancedSystemProtector_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\smartbar_rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\smartbar_rasmancs
Key Deleted : HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\DeskSvc
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C007DADD-132A-624C-088E-59EE6CF0711F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{AE07101B-46D4-4A98-AF68-0333EA26E113}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Value Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{AE07101B-46D4-4A98-AF68-0333EA26E113}]
Key Deleted : HKCU\Software\Escolade
Key Deleted : HKCU\Software\GlobalUpdate
Key Deleted : HKCU\Software\systweak
Key Deleted : HKCU\Software\TutoTag
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKCU\Software\AppDataLow\Software\adawarebp
Key Deleted : HKCU\Software\AppDataLow\Software\Re_Markit
Key Deleted : HKLM\Software\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\Software\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\Software\Bench
Key Deleted : HKLM\Software\Desksvc
Key Deleted : HKLM\Software\GlobalUpdate
Key Deleted : HKLM\Software\hdcode
Key Deleted : HKLM\Software\SupTab
Key Deleted : HKLM\Software\supWPM
Key Deleted : HKLM\Software\systweak
Key Deleted : HKLM\Software\Tutorials
Key Deleted : HKLM\Software\V9
Key Deleted : HKLM\Software\Wpm
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{2A4641B4-EDDB-46D1-B34B-F93E19A8B3DB}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{9AAF2503-6CD5-414A-B5BA-37639B76C91F}
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v10.0.9200.17028
 
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Search_URL]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Search Page]
Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Search_URL]
Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Search Page]
 
-\\ Mozilla Firefox v
 
[ File : C:\Users\Toon\AppData\Roaming\Mozilla\Firefox\Profiles\yq94jtqk.default\prefs.js ]
 
Line Deleted : user_pref("browser.search.defaultenginename", "qone8");
Line Deleted : user_pref("browser.uiCustomization.state", "{\"placements\":{\"PanelUI-contents\":[\"edit-controls\",\"zoom-controls\",\"new-window-button\",\"privatebrowsing-button\",\"save-page-button\",\"print-but[...]
Line Deleted : user_pref("extensions.helperbar.BackPageActive", true);
Line Deleted : user_pref("extensions.helperbar.DockingPositionDown", false);
Line Deleted : user_pref("extensions.helperbar.SmartbarDisabled", false);
Line Deleted : user_pref("extensions.helperbar.SmartbarStateMinimaized", false);
Line Deleted : user_pref("extensions.helperbar.Visibility", true);
Line Deleted : user_pref("extensions.helperbar.backPageCapacity", 3);
Line Deleted : user_pref("extensions.helperbar.backPageCounter", 0);
Line Deleted : user_pref("extensions.helperbar.backPageDay", 26);
Line Deleted : user_pref("extensions.helperbar.backPageLastEvent", "1395673268433");
Line Deleted : user_pref("extensions.helperbar.backPageMinInterval", 15);
Line Deleted : user_pref("extensions.helperbar.barcodeid", "129845");
Line Deleted : user_pref("extensions.helperbar.countryiso", "be");
Line Deleted : user_pref("extensions.helperbar.downloadprovider", "ob_[[pubid]]_ch");
Line Deleted : user_pref("extensions.helperbar.externalJsFiles", "{\"d\":\"[{\\\"ExcludeDomains\\\":[\\\"snap.do\\\",\\\"snapdo.com\\\"],\\\"hxxpInjection\\\":\\\"hxxp:\\\\\\/\\\\\\/www.superfish.com\\\\\\/ws\\\\\\/[...]
Line Deleted : user_pref("extensions.helperbar.fromautoupdate", "false");
Line Deleted : user_pref("extensions.helperbar.installationid", "08bc66b7-7445-ddbc-4735-f30b45efa740");
Line Deleted : user_pref("extensions.helperbar.installdate", "26/03/2014");
Line Deleted : user_pref("extensions.helperbar.keepAliveLastevent", "1395846058");
Line Deleted : user_pref("extensions.helperbar.lastExternalJsUpdate", "1395846068490");
Line Deleted : user_pref("extensions.helperbar.publisher", "shoppinghelper");
 
-\\ Google Chrome v36.0.1985.125
 
[ File : C:\Users\Toon\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [7165 octets] - [31/07/2014 15:22:14]
AdwCleaner[S0].txt - [6597 octets] - [31/07/2014 15:24:23]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [6657 octets] ##########


#5 TBongers

TBongers
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 31 July 2014 - 08:40 AM

junkware removal tool:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 8 x64
Ran by Toon on Thu 07/31/2014 at 15:32:51.73
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\WINDOWS\syswow64\ai_recyclebin"
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 07/31/2014 at 15:39:26.27
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#6 TBongers

TBongers
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 31 July 2014 - 08:50 AM

Roguekiller:

RogueKiller V9.2.4.0 (x64) [Jul 11 2014] by Adlice Software
 
Operating System : Windows 8 (6.2.9200 ) 64 bits version
Started in : Normal mode
User : Toon [Admin rights]
Mode : Scan -- Date : 07/31/2014  15:48:19
 
¤¤¤ Bad processes : 1 ¤¤¤
[Suspicious.Path] RTFTrack.exe -- C:\Windows\RTFTrack.exe[7] -> KILLED [TermProc]
 
¤¤¤ Registry Entries : 17 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | RtsFT : RTFTrack.exe  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 195.130.131.129 195.130.130.1  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 195.130.131.129 195.130.130.1  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EC9D535D-C46C-4A51-96CE-81DC53B2870B} | DhcpNameServer : 195.130.131.129 195.130.130.1  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{EC9D535D-C46C-4A51-96CE-81DC53B2870B} | DhcpNameServer : 195.130.131.129 195.130.130.1  -> FOUND
[PUM.Policies] (X64) HKEY_USERS\S-1-5-21-4082342249-268472844-1341896065-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND
[PUM.Policies] (X64) HKEY_USERS\S-1-5-21-4082342249-268472844-1341896065-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> FOUND
[PUM.Policies] (X86) HKEY_USERS\S-1-5-21-4082342249-268472844-1341896065-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND
[PUM.Policies] (X86) HKEY_USERS\S-1-5-21-4082342249-268472844-1341896065-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> FOUND
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> FOUND
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> FOUND
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND
 
¤¤¤ Scheduled tasks : 1 ¤¤¤
[Suspicious.Path] \\RunAsStdUser Task -- C:\Users\Toon\AppData\Local\Oxy\Application\oxy.exe (--app=chrome-extension://cgeglcjaapbfihfpfmamaoipnbocnjkl/index.html#q=\Total War Rome 2") -> FOUND
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ HOSTS File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 29 (Driver: LOADED) ¤¤¤
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\i8042prt.sys - IRP_MJ_READ[3] : C:\WINDOWS\system32\DRIVERS\ETD.sys @ 0x5c4a120
[EAT:Addr] (explorer.exe) NInput.dll - BatMeterIconAnimationReset : C:\WINDOWS\system32\BatMeter.dll @ 0x7ff71904554
[EAT:Addr] (explorer.exe) NInput.dll - BatMeterIconThemeReset : C:\WINDOWS\system32\BatMeter.dll @ 0x7ff719046ec
[EAT:Addr] (explorer.exe) NInput.dll - BatMeterOnDeviceChange : C:\WINDOWS\system32\BatMeter.dll @ 0x7ff71904134
[EAT:Addr] (explorer.exe) NInput.dll - CleanupBatteryData : C:\WINDOWS\system32\BatMeter.dll @ 0x7ff71901884
[EAT:Addr] (explorer.exe) NInput.dll - CreateBatteryData : C:\WINDOWS\system32\BatMeter.dll @ 0x7ff71902b98
[EAT:Addr] (explorer.exe) NInput.dll - GetBatMeterIconAnimationState : C:\WINDOWS\system32\BatMeter.dll @ 0x7ff719041f0
[EAT:Addr] (explorer.exe) NInput.dll - GetBatMeterIconAnimationTimeDelay : C:\WINDOWS\system32\BatMeter.dll @ 0x7ff71904370
[EAT:Addr] (explorer.exe) NInput.dll - GetBatMeterIconAnimationUpdate : C:\WINDOWS\system32\BatMeter.dll @ 0x7ff71904494
[EAT:Addr] (explorer.exe) NInput.dll - GetBatteryCapacityInfo : C:\WINDOWS\system32\BatMeter.dll @ 0x7ff71903f18
[EAT:Addr] (explorer.exe) NInput.dll - GetBatteryDetails : C:\WINDOWS\system32\BatMeter.dll @ 0x7ff71905ad0
[EAT:Addr] (explorer.exe) NInput.dll - GetBatteryImmersiveIcon : C:\WINDOWS\system32\BatMeter.dll @ 0x7ff71902060
[EAT:Addr] (explorer.exe) NInput.dll - GetBatteryInfo : C:\WINDOWS\system32\BatMeter.dll @ 0x7ff71905100
[EAT:Addr] (explorer.exe) NInput.dll - GetBatteryStatusText : C:\WINDOWS\system32\BatMeter.dll @ 0x7ff71905190
[EAT:Addr] (explorer.exe) NInput.dll - GetBatteryWorkingState : C:\WINDOWS\system32\BatMeter.dll @ 0x7ff719019c0
[EAT:Addr] (explorer.exe) NInput.dll - IsBatteryBad : C:\WINDOWS\system32\BatMeter.dll @ 0x7ff71903f0c
[EAT:Addr] (explorer.exe) NInput.dll - IsBatteryHealthWarningEnabled : C:\WINDOWS\system32\BatMeter.dll @ 0x7ff71903f00
[EAT:Addr] (explorer.exe) NInput.dll - IsBatteryLevelCritical : C:\WINDOWS\system32\BatMeter.dll @ 0x7ff71903ec4
[EAT:Addr] (explorer.exe) NInput.dll - IsBatteryLevelLow : C:\WINDOWS\system32\BatMeter.dll @ 0x7ff71903ed8
[EAT:Addr] (explorer.exe) NInput.dll - IsBatteryLevelReserve : C:\WINDOWS\system32\BatMeter.dll @ 0x7ff71903eec
[EAT:Addr] (explorer.exe) NInput.dll - PowerCapabilities : C:\WINDOWS\system32\BatMeter.dll @ 0x7ff71901560
[EAT:Addr] (explorer.exe) NInput.dll - QueryBatteryData : C:\WINDOWS\system32\BatMeter.dll @ 0x7ff71902c44
[EAT:Addr] (explorer.exe) NInput.dll - SetBatteryHealthWarningState : C:\WINDOWS\system32\BatMeter.dll @ 0x7ff71903f00
[EAT:Addr] (explorer.exe) NInput.dll - SetBatteryLevel : C:\WINDOWS\system32\BatMeter.dll @ 0x7ff719027a0
[EAT:Addr] (explorer.exe) NInput.dll - SetBatteryWorkingState : C:\WINDOWS\system32\BatMeter.dll @ 0x7ff71901048
[EAT:Addr] (explorer.exe) NInput.dll - SubscribeBatteryUpdateNotification : C:\WINDOWS\system32\BatMeter.dll @ 0x7ff71901fb8
[EAT:Addr] (explorer.exe) NInput.dll - UnsubscribeBatteryUpdateNotification : C:\WINDOWS\system32\BatMeter.dll @ 0x7ff71901980
[EAT:Addr] (explorer.exe) NInput.dll - UpdateBatteryData : C:\WINDOWS\system32\BatMeter.dll @ 0x7ff719050c4
[EAT:Addr] (explorer.exe) NInput.dll - UpdateBatteryDataAsync : C:\WINDOWS\system32\BatMeter.dll @ 0x7ff71901b60
 
¤¤¤ Web browsers : 1 ¤¤¤
[PUP][FIREFX:Addon] yq94jtqk.default : Quick Start [quick_start@gmail.com] -> FOUND
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST500LT012-9WS142 +++++
--- User ---
[MBR] a007eda53c982bda845343c5e539d015
[BSP] b0ff98d663b1e9bbcd622c624f07cbc1 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097152 MB
User = LL1 ... OK
User = LL2 ... OK

Thank you very much for making the time to help me with this problem.



#7 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:05:07 PM

Posted 31 July 2014 - 05:57 PM

Follow these steps:

1.- Please re-run RogueKiller.
Wait until Prescan has finished
Click on Scan.
Once the scan is done, click the Tasks tab and place a checkmark on this item:



[Suspicious.Path] \\RunAsStdUser Task -- C:\Users\Toon\AppData\Local\Oxy\Application\oxy.exe (--app=chrome-extension://cgeglcjaapbfihfpfmamaoipnbocnjkl/index.html#q=\Total War Rome 2") -> FOUND

Next, click the Web Browser tab and place a checkmark on this item:



[PUP][FIREFX:Addon] yq94jtqk.default : Quick Start [quick_start@gmail.com] -> FOUND

Press de Delete button.
Then, click on Report. A log file will open, please copy/paste the context of that file into your next reply. and copy/paste the context of that file into your next reply.


2.- Run Malwarebytes Anti-Malware and do the following:

Click on Scan now.
If an update is available, click Update Now.
A Threat Scan will start.
After scan, if potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.

A window with an option to view the detailed log will appear. Click on View Detailed Log.
After viewing the results, please click on the Copy to Clipboard button > OK.
Paste your log into your next reply.

Note: If you lose the Clipboard copy and need to retrieve the log again it can be found by opening Malwarebytes and clicking on History> Application Logs with the date of the scan. Simply double-click on that in order to see the options for Copying to Clipboard or to Export to a .txt file (Notepad). etc.. The .txt file can be saved and posted when you are ready.
 

 

3.- Download Malwarebytes Anti-Rootkit from this link http://www.malwarebytes.org/products/mbar/

  • Unzip the File to a convenient location. (Recommend the Desktop)
  • You may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

mbarwm.png

  • If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen.
  • The following image opens, select Next.

Image2.png

  •  The following image opens, select Update

Image3.png

  •  When the Update completes, select Next

Image4.png

  •  In the following window ensure "Targets" are ticked. Then select "Scan"

Image5.png

  •  If an infection/s is found the "Cleanup Button" to remove threats will be available. A list of infected files will be listed like the following example:

MBAntiRKclean.png

  •  Do not select the "Clean up Button" select the "Exit" button, there will be a warning as follows:

MBAntiRKclean1.png

  •  Select "Yes" to close down the program. If NO infections were found you will see the following image:

Image6.png

  • Select "Exit" to close down.
  • Copy and paste the two following logs from the mbar folder:

System - log
Mbar - log Date and time of scan will also be shown

Post those two logs in your reply.



#8 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:07 PM

Posted 20 October 2014 - 09:44 AM

Due to the lack of feedback/inactivity, this Topic is closed. Should you need it reopened, please contact a Forum Moderator or member of the Malware Response Team. Include the address of this thread in your request. If you have a new issue, please start a New Topic. This applies only to the original poster. Everyone else please begin a New Topic.


Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users