Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ran ComboFix before FRST log prematurely. Should I do a system restore?


  • This topic is locked This topic is locked
25 replies to this topic

#1 AviMc

AviMc

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 31 January 2015 - 04:57 AM

I'm not sure of the order in which I have done things since I've been working on this computer for three days now.

 

I had ransomeware in which I was able to right click the files and restore previous versions of the files because they were in old restore points.  I got lucky.  But there were some remnants left over.  Someone uninstalled a bunch of programs that I didn't use.  I uninstalled some more.  And then I had many Trojans and viruses and ran every program I knew was good to clean up this computer and I thought I was finished until I used Internet Explorer and a website I created would get redirects to other websites, so I installed and used other malware programs.

 

I found BleepingComputer and some download pages, so I downloaded and used what was suggested and what other people were downloading.  At some point, I read not to use ComboFix until I had help from someone technical but I didn't realize that was someone who helps on this forum and ran it anyway thinking I was technical enough to do so.  Kind of knowing I should wait and read more, I went ahead and got curious of the options of the installation but it was too late because it automatically started after I clicked something without any cancel button (again I can't remember exactly what I did).  It hid for a little while and I thought it had stopped but then it came back up again and finished up what it was doing.  

 

I used Rkill at some point and found ALERT: ZEROACCESS rootkit symptoms found.  Not sure what to do about that or if it has something to do with the ransomeware. 

 

At some point I ran TDSSkiller but did not choose "delete" when it said Device\Harddisk0\DR0 problem and ignored it.  I then Google'd it and found a post here: www.bleepingcomputer.com/forums/t/461250/tdsskiller-deleted-deviceharddisk0dr0-and-now-operating-system-wont-boot/ and read through it and it was pretty much the same as what I experienced.

 

Everything seems to be running normally now, but the computer still has a bunch of excess stuff left over after programs were uninstalled and I'm not sure if the browser is safe yet or about the zeroaccess situation and Harddisk situation.  The log files are showing Norton, Chrome, Firefox, etc. which were uninstalled.  I sure like to get rid of all that excess garbage.

 

So I have used:

Kaspersky, Malwarebytes, Ad-Aware, Spybot, CCleaner, TDSSKiller, HitmanPro, Rkill, JRT, AdwCleaner, ComboFix, FRST64, JRT, and NPE.exe and installed all the windows updates that were required not suggested.

 

I have log files for each of these and am attaching FRST and ComboFix (prematurely)

 

Is my system now clean enough to run for the next few years or should more be fixed or should I do a system restore to get rid of the ComboFix I did prematurely and start over from FRST first?

 

Thanks so much for any help you can offer.

 

p.s. I did not choose "fix" on FRST and didn't know if I was to do that yet.

 

Thanks

Tina

 

 

 

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 AviMc

AviMc
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 31 January 2015 - 05:00 AM

By the way, I am the webmaster for this client and have his computer here at home.  He was not at all careful with his internet habits.  I used the word " I " for simplicity.



#3 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:07:08 AM

Posted 01 February 2015 - 01:42 AM

Hi AviMc,

Welcome to BleepingComputer. My name is dbrisendine and I'll be helping you with this problem. Before I get into the removal of malware / correction of your problem, I need you to be aware of the following:
  • Please read all of my response through at least once before attempting to follow the procedures described.I would recommend printing them out, if you can, as you can check off each step as you complete it. Also, as some of the cleaning may be done in Safe Mode and there will be no internet connection then, you will find that having the steps printed for reference speeds the cleaning process along. If there's anything you don't understand or isn't totally clear to you, please come back to me for clarification before you start those steps.
  • All of the assistants and staff at BleepingComputer are here on a volunteer basis; please respect our time given to the cause of helping others.If you are going to be away for more than 4 days, please let me know here. (I will do the same for you.) We do realize that 'life happens' and situations arise unexpectedly; we just ask that you keep us up to date.
  • Malware removal is a complex, multiple step process; please stay with me on this thread (don't start another thread) until I declare that your logs are clean and you are good to go. The absence of apparent issues does not mean your system is clean; I will tell you when everything looks good for you to go and help you remove the tools we have used.
  • If any of the security programs on your system should give any warnings about the software tools I ask you to download and use, please do not be alarmed.All of the tools I will have you use are safe to use (as instructed) and malware free.
  • While we strive to disrupt your system as little as possible, things happen.If you can, it would be best to back up your personal files now (if you do not already have a backup). You can store these on a CD/DVD, USB drive or stick, anywhere but on your same system. This will save you from possible anguish later if something unforeseen happens.
  • Please do not run any other tools or scanners than what I ask you to.Some of the openly available software made for malware removal can make changes to your system that interfere with the cleaning of the malware, or even destroy your system. I will use only what the situation calls for and direct you in the proper use of that software.
  • Please do not attach any log files to your replies unless I specifically ask you.Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.


    - Save ALL Tools to your Desktop-

    All the tools that I will have you download should be placed on the desktop unless otherwise stated. If you are familiar with how to save files to the desktop then you can skip this step.

    Since you are continuing with this step then I assume you are unfamiliar with saving files to your desktop. As a result it's easiest if you configure your browser(s) to download any tools to the desktop by default. Please use the appropriate instructions below depending on the browser you are using.
    Chrome.JPGGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser.Settings.JPG Choose Settings. at the bottom of the screen click the
    "Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.
    Firefox.JPGMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Settings.JPG Choose Options. In the downloads section, click the Browse button, click on the Desktop folder
    and the click the "Select Folder" button. Click OK to get out of the Options menu.
    IE.jpgInternet Explorer - Click the Tools menu in the upper right-corner of the browser. Tools.JPG Select View downloads. Select the Options link in the lower left of the window. Click Browse and
    select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
    NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

Let's get started....

I have your logs and will work on a cleanup plan of action and steps to fix what you want. Please tell me if the following is not correct:
  • You want the removal of all apparent malware that is left on the system.
  • You want the removal of all traces of past used tools / cleaning programs from the system.
  • You use Kaspersky as your AV / IS program.
Please tell me if these statements are correct, if there are any more notes you wish to inform me of or if you have gotten assistance elsewhere.

Please do not run any other tools on this system other than what I ask you to and in the order I ask for.

I will return shortly with the first steps of cleaning. Thank you.

unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#4 AviMc

AviMc
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 01 February 2015 - 02:02 AM

I have read your instructions and understand them.  The first and third of your bullet points, the answer is yes.  The middle bullet point, I'm not sure if you're talking about the tools I've used to clean his system or programs and tools he might have used in the past that someone uninstalled yet remnants remain in computer folders and registry.  If the latter, yes, need those cleaned out. 

 

If the virus removal tools: I would like for this computer to continue to have the desktop icons I have left for my client to use after he gets his computer back home and so I don't have to install them for him or his not knowing how to install them himself.  They are Kaspersky, Kaspersky's Safe Money, Malwarebytes, Ad-Aware, SpybotPortable, HitmanPro, CCleaner, Windows Update, Belarc Advisor, TDSSKiller within an *.eml file, a folder of downloaded execute files of AdwCleaner.exe, HitmanPro_x64.exe, JRT.exe, NPE.exe, rkill64.exe, tdsskiller.exe, the spybot portable folder, a couple of notepad notes of mine, and a folder of all the log files of the programs above ran to date.

 

The reason being is that some of his internet habits may again infect his computer if he does not use or renew Kaspersky and the others may pick up some things Kaspersky does not catch. When I give his computer back to him, I will teach him how to use each one to keep his system checked or be able to clean it himself without asking me to.

 

If you think I should not keep these on his desktop, please let me know.  If it does not harm the system to have them, I'd like to keep them only for convenience of not having to download and install them in the future.

 

Thank you for your help with the next steps and your advise.

Tina



#5 AviMc

AviMc
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 01 February 2015 - 02:13 AM

Just one more thing.  He believes that iYogi was the culprit of installing all these viruses and the ransomware where all his business files were encrypted because they completely took over his system for years and he said it was just awful service and he broke ties with them.  I told him it wasn't them but since it was hard as heck to get rid of them from the system, it could have been.  Doubtful, but thought you might need that bit of information.  I told him if files were quarantined and he uninstalled anything from them, then most likely the trojans were freed from quarantine to destroy his system again if iYogi didn't delete them completely.  Again, unsure.  I do know most are likely from P2P music downloads, his enjoyment of gambling sites, match making sites, etc. and told him to get a second computer and not use his business computer for that.  :hysterical:



#6 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:07:08 AM

Posted 01 February 2015 - 02:38 AM

Ok, seems like we are in agreement. I will try and leave what I can but we may have to uninstall some of the software to make the cleaning easier or less interfered with.

Oh and Zero Access is still present on this system along with the remains of a ramsomeware.

 

STEP# 1

Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed):

WeatherBug

To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window.

Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software.

STEP# 2

Download the attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..". The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show that it is ready to use (meaning there is no update found) and you can continue on. Press the Fix button just once and wait. The tool will create a restore point, process the script and ask for a restart of your system.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post the log in your next reply.

unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#7 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:07:08 AM

Posted 01 February 2015 - 02:40 AM

Ok, seems like we are in agreement. I will try and leave what I can but we may have to uninstall some of the software to make the cleaning easier or less interfered with.

Oh and Zero Access is still present on this system along with the remains of a ramsomeware.

 

STEP# 1

Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed):

WeatherBug

To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window.

Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software.

STEP# 2

Download the attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..". The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show that it is ready to use (meaning there is no update found) and you can continue on. Press the Fix button just once and wait. The tool will create a restore point, process the script and ask for a restart of your system.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post the log in your next reply.

Attached Files


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#8 AviMc

AviMc
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 01 February 2015 - 03:01 AM

WeatherBug was not in the programs list.  I uninstalled it the other day but unsure if I ran the premature logs before or after I got rid of it.

 

Here is my log file from your instructions above.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 01-02-2015
Ran by Administrator at 2015-02-01 02:51:41 Run:1
Running from C:\Users\Administrator\Desktop
Loaded Profiles: Administrator (Available profiles: Administrator)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-18\...\Run: [ReroNfayn] => regsvr32.exe "C:\ProgramData\ReroNfayn\SetiMloqo.zew"
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-395827054-3859895357-3488293600-500\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-395827054-3859895357-3488293600-500 -> {1E1E1D9A-0623-4567-9DC8-67F7F166FD78} URL =
Toolbar: HKLM - No Name - !{ae07101b-46d4-4a98-af68-0333ea26e113} -  No File
Toolbar: HKLM-x32 - No Name - !{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} -  No File
Toolbar: HKLM-x32 - No Name - !{364ea597-e728-4ce4-bb4a-ed846ef47970} -  No File
Toolbar: HKLM-x32 - No Name - !{A531D99C-5A22-449b-83DA-872725C6D0ED} -  No File
Toolbar: HKLM-x32 - No Name - !{ae07101b-46d4-4a98-af68-0333ea26e113} -  No File
Toolbar: HKU\S-1-5-21-395827054-3859895357-3488293600-500 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKU\S-1-5-21-395827054-3859895357-3488293600-500 -> No Name - {37153479-1976-43C3-A1EE-557513977B64} -  No File
Toolbar: HKU\S-1-5-21-395827054-3859895357-3488293600-500 -> No Name - {30CEEEA2-3742-40E4-85DD-812BF1CBB83D} -  No File
Toolbar: HKU\S-1-5-21-395827054-3859895357-3488293600-500 -> No Name - {0123B506-0AD9-43AA-B0CF-916C122AD4C5} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\19.0.1084.56\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\windows\system32\Macromed\Flash\NPSWF32.dll No File
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll No File
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll No File
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll No File
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll No File
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll No File
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrl.dll No File
CHR Plugin: (RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) ) - C:\Program Files (x86)\Real\RealPlayer\Netscape6\nppl3260.dll No File
CHR Plugin: (RealPlayer Version Plugin) - C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpjplug.dll No File
CHR Plugin: (RealPlayer™ HTML5VideoShim Plug-In (32-bit) ) - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll No File
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\19.0.1084.56\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\19.0.1084.56\pdf.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Google Earth Plugin) - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll No File
CHR Plugin: (RealJukebox NS Plugin) - C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprjplug.dll No File
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll No File
CHR Plugin: (Default Plug-in) - default_plugin No File
CHR HKLM\...\Chrome\Extension: [dbhjdbfgekjfcfkkfjjmlmojhbllhbho] - https://chrome.google.com/webstore/detail/dbhjdbfgekjfcfkkfjjmlmojhbllhbho [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [dbhjdbfgekjfcfkkfjjmlmojhbllhbho] - https://chrome.google.com/webstore/detail/dbhjdbfgekjfcfkkfjjmlmojhbllhbho [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - No Path
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S1 extsfahu; \??\C:\windows\system32\drivers\extsfahu.sys [X]
S1 fbsuqpxe; \??\C:\windows\system32\drivers\fbsuqpxe.sys [X]
S1 jmhubuci; \??\C:\windows\system32\drivers\jmhubuci.sys [X]
U4 klkbdflt2; system32\DRIVERS\klkbdflt2.sys [X]
S1 laczziha; \??\C:\windows\system32\drivers\laczziha.sys [X]
S1 lvcjkhrl; \??\C:\windows\system32\drivers\lvcjkhrl.sys [X]
S1 nchehstq; \??\C:\windows\system32\drivers\nchehstq.sys [X]
S1 nrnyllkn; \??\C:\windows\system32\drivers\nrnyllkn.sys [X]
S3 PTDUBus; system32\DRIVERS\PTDUBus.sys [X]
S3 PTDUMdm; system32\DRIVERS\PTDUMdm.sys [X]
S3 PTDUVsp; system32\DRIVERS\PTDUVsp.sys [X]
S3 PTDUWFLT; system32\DRIVERS\PTDUWFLT.sys [X]
S3 PTDUWWAN; system32\DRIVERS\PTDUWWAN.sys [X]
S1 qgbjcjim; \??\C:\windows\system32\drivers\qgbjcjim.sys [X]
S1 qnrpjqjm; \??\C:\windows\system32\drivers\qnrpjqjm.sys [X]
S1 qzslobfe; \??\C:\windows\system32\drivers\qzslobfe.sys [X]
S3 RSUSBSTOR; System32\Drivers\RtsUStor.sys [X]
S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [X]
S3 SMSIVZAM5X64; \??\C:\PROGRA~2\VERIZO~1\VZACCE~1\SMSIVZAM5X64.SYS [X]
S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [X]
2015-01-30 20:36 - 2015-01-30 20:36 - 00000000 ____D () C:\Program Files\Spybot
2015-01-30 20:35 - 2015-01-30 20:35 - 00000000 ____D () C:\Program Files (x86)\Spybot
2015-01-30 20:29 - 2015-01-30 20:30 - 00000000 ____D () C:\Users\Administrator\Spybot
2015-01-29 02:25 - 2015-01-29 02:28 - 00002103 _____ () C:\windows\SysWOW64\??????
2015-01-28 10:08 - 2015-01-28 10:08 - 00328704 _____ (Microsoft Corporation) C:\windows\system32\services.exe.62873C41E06C75BA
2015-01-28 11:26 - 2015-01-28 11:26 - 00000000 ____D () C:\Users\Default\AppData\Roaming\AVG
2015-01-28 11:26 - 2015-01-28 11:26 - 00000000 ____D () C:\Users\Default User\AppData\Roaming\AVG
2015-01-28 11:25 - 2015-01-28 11:25 - 00000000 ____D () C:\Users\Default\AppData\Local\Avg
2015-01-28 11:25 - 2015-01-28 11:25 - 00000000 ____D () C:\Users\Default User\AppData\Local\Avg
2015-01-27 20:50 - 2015-01-27 20:50 - 00000668 _____ () C:\Users\Administrator\Desktop\Start Tor Browser - Shortcut.lnk
2015-01-07 13:53 - 2015-01-07 13:53 - 00000000 ____D () C:\ProgramData\uki
2015-01-07 13:52 - 2015-01-07 13:52 - 00000000 ____D () C:\ProgramData\khvt
2015-01-07 13:34 - 2015-01-07 13:34 - 00004651 _____ () C:\Users\Administrator\AppData\Local\how_decrypt.html
2015-01-07 13:18 - 2015-01-28 10:09 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Dohiut
2015-01-07 13:15 - 2015-01-30 23:54 - 00000734 _____ () C:\windows\system32\Drivers\etc\hosts.txt
2015-01-07 13:15 - 2015-01-30 08:17 - 00000000 ____D () C:\ProgramData\dgepo
2015-01-07 13:15 - 2015-01-07 13:47 - 00000000 ____D () C:\ProgramData\ReroNfayn
2015-01-26 20:51 - 2014-07-10 13:04 - 00000000 ____D () C:\Program Files (x86)\GUMAAA.tmp
2015-01-26 18:02 - 2011-03-11 03:34 - 00000000 ____D () C:\Users\Administrator\AppData\Local\WeatherBug
2014-07-10 13:04 - 2014-07-10 13:04 - 6010880 _____ () C:\Program Files (x86)\GUTAAB.tmp
2015-01-07 13:34 - 2015-01-07 13:34 - 0025445 _____ () C:\Users\Administrator\AppData\Local\how_decrypt.gif
2015-01-07 13:34 - 2015-01-07 13:34 - 0004651 _____ () C:\Users\Administrator\AppData\Local\how_decrypt.html
2011-09-22 16:22 - 2012-07-30 19:54 - 0000000 _____ () C:\ProgramData\Drwtsn32.log~~Drwtsn32.log~~.txt
C:\Windows\Installer\{b2af2ecf-3da3-4cff-9c47-986a82287549}
C:\Windows\Installer\{b2af2ecf-3da3-4cff-9c47-986a82287549}\L\6715e287
C:\Users\Administrator\AppData\Local\{b2af2ecf-3da3-4cff-9c47-986a82287549}
C:\Users\Administrator\AppData\Local\{b2af2ecf-3da3-4cff-9c47-986a82287549}\@
C:\Users\Administrator\AppData\Local\{b2af2ecf-3da3-4cff-9c47-986a82287549}\U\80000032.@
C:\Users\Administrator\AppData\Local\{b2af2ecf-3da3-4cff-9c47-986a82287549}\U\80000064.@
C:\Users\Administrator\AppData\Local\{b2af2ecf-3da3-4cff-9c47-986a82287549}\U\how_decrypt.gif
C:\Users\Administrator\AppData\Local\{b2af2ecf-3da3-4cff-9c47-986a82287549}\U\how_decrypt.html
Task: {B87FF71F-6427-4EEB-91DA-7CA8F0400331} - \Security Center Update - 1747117408 No Task File <==== ATTENTION
AlternateDataStreams: C:\Users\Administrator\Desktop\TDSSKiller.eml:OECustomProperty
AlternateDataStreams: C:\ProgramData\TEMP:D3A96964
Reboot:
end

*****************

Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\ReroNfayn => value deleted successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-395827054-3859895357-3488293600-500\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKU\S-1-5-21-395827054-3859895357-3488293600-500\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{1E1E1D9A-0623-4567-9DC8-67F7F166FD78}" => Key deleted successfully.
HKCR\CLSID\{1E1E1D9A-0623-4567-9DC8-67F7F166FD78} => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\!{ae07101b-46d4-4a98-af68-0333ea26e113} => value deleted successfully.
HKCR\CLSID\!{ae07101b-46d4-4a98-af68-0333ea26e113} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\!{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} => value deleted successfully.
HKCR\Wow6432Node\CLSID\!{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\!{364ea597-e728-4ce4-bb4a-ed846ef47970} => value deleted successfully.
HKCR\Wow6432Node\CLSID\!{364ea597-e728-4ce4-bb4a-ed846ef47970} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\!{A531D99C-5A22-449b-83DA-872725C6D0ED} => value deleted successfully.
HKCR\Wow6432Node\CLSID\!{A531D99C-5A22-449b-83DA-872725C6D0ED} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\!{ae07101b-46d4-4a98-af68-0333ea26e113} => value deleted successfully.
HKCR\Wow6432Node\CLSID\!{ae07101b-46d4-4a98-af68-0333ea26e113} => Key not found.
HKU\S-1-5-21-395827054-3859895357-3488293600-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value deleted successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Key not found.
HKU\S-1-5-21-395827054-3859895357-3488293600-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{37153479-1976-43C3-A1EE-557513977B64} => value deleted successfully.
HKCR\CLSID\{37153479-1976-43C3-A1EE-557513977B64} => Key not found.
HKU\S-1-5-21-395827054-3859895357-3488293600-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{30CEEEA2-3742-40E4-85DD-812BF1CBB83D} => value deleted successfully.
HKCR\CLSID\{30CEEEA2-3742-40E4-85DD-812BF1CBB83D} => Key not found.
HKU\S-1-5-21-395827054-3859895357-3488293600-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0123B506-0AD9-43AA-B0CF-916C122AD4C5} => value deleted successfully.
HKCR\CLSID\{0123B506-0AD9-43AA-B0CF-916C122AD4C5} => Key not found.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
C:\Program Files (x86)\Google\Chrome\Application\19.0.1084.56\gcswf32.dll not found.
C:\windows\system32\Macromed\Flash\NPSWF32.dll not found.
C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll not found.
C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll not found.
C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll not found.
C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll not found.
C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll not found.
C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll not found.
C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll not found.
c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrl.dll not found.
C:\Program Files (x86)\Real\RealPlayer\Netscape6\nppl3260.dll not found.
C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpjplug.dll not found.
C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll not found.
C:\Program Files (x86)\Google\Chrome\Application\19.0.1084.56\ppGoogleNaClPluginChrome.dll not found.
C:\Program Files (x86)\Google\Chrome\Application\19.0.1084.56\pdf.dll not found.
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll not found.
C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll not found.
C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll not found.
C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprjplug.dll not found.
C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll not found.
"HKLM\SOFTWARE\Google\Chrome\Extensions\dbhjdbfgekjfcfkkfjjmlmojhbllhbho" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\dbhjdbfgekjfcfkkfjjmlmojhbllhbho" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk" => Key deleted successfully.
catchme => Service deleted successfully.
extsfahu => Service deleted successfully.
fbsuqpxe => Service deleted successfully.
jmhubuci => Service deleted successfully.
klkbdflt2 => Error deleting Service
laczziha => Service deleted successfully.
lvcjkhrl => Service deleted successfully.
nchehstq => Service deleted successfully.
nrnyllkn => Service deleted successfully.
PTDUBus => Service deleted successfully.
PTDUMdm => Service deleted successfully.
PTDUVsp => Service deleted successfully.
PTDUWFLT => Service deleted successfully.
PTDUWWAN => Service deleted successfully.
qgbjcjim => Service deleted successfully.
qnrpjqjm => Service deleted successfully.
qzslobfe => Service deleted successfully.
RSUSBSTOR => Service deleted successfully.
RtsUIR => Service deleted successfully.
SMSIVZAM5X64 => Service deleted successfully.
USBCCID => Service deleted successfully.
C:\Program Files\Spybot => Moved successfully.
C:\Program Files (x86)\Spybot => Moved successfully.
C:\Users\Administrator\Spybot => Moved successfully.

"C:\windows\SysWOW64\??????" directory move:

Could not move "C:\windows\SysWOW64\??????" directory. => Scheduled to move on reboot.

C:\windows\system32\services.exe.62873C41E06C75BA => Moved successfully.
C:\Users\Default\AppData\Roaming\AVG => Moved successfully.
"C:\Users\Default User\AppData\Roaming\AVG" => File/Directory not found.
C:\Users\Default\AppData\Local\Avg => Moved successfully.
"C:\Users\Default User\AppData\Local\Avg" => File/Directory not found.
C:\Users\Administrator\Desktop\Start Tor Browser - Shortcut.lnk => Moved successfully.
C:\ProgramData\uki => Moved successfully.
C:\ProgramData\khvt => Moved successfully.
C:\Users\Administrator\AppData\Local\how_decrypt.html => Moved successfully.
C:\Users\Administrator\AppData\Roaming\Dohiut => Moved successfully.
C:\windows\system32\Drivers\etc\hosts.txt => Moved successfully.
C:\ProgramData\dgepo => Moved successfully.
C:\ProgramData\ReroNfayn => Moved successfully.
C:\Program Files (x86)\GUMAAA.tmp => Moved successfully.
C:\Users\Administrator\AppData\Local\WeatherBug => Moved successfully.
C:\Program Files (x86)\GUTAAB.tmp => Moved successfully.
C:\Users\Administrator\AppData\Local\how_decrypt.gif => Moved successfully.
"C:\Users\Administrator\AppData\Local\how_decrypt.html" => File/Directory not found.
C:\ProgramData\Drwtsn32.log~~Drwtsn32.log~~.txt => Moved successfully.
C:\Windows\Installer\{b2af2ecf-3da3-4cff-9c47-986a82287549} => Moved successfully.
"C:\Windows\Installer\{b2af2ecf-3da3-4cff-9c47-986a82287549}\L\6715e287" => File/Directory not found.
C:\Users\Administrator\AppData\Local\{b2af2ecf-3da3-4cff-9c47-986a82287549} => Moved successfully.
"C:\Users\Administrator\AppData\Local\{b2af2ecf-3da3-4cff-9c47-986a82287549}\@" => File/Directory not found.
"C:\Users\Administrator\AppData\Local\{b2af2ecf-3da3-4cff-9c47-986a82287549}\U\80000032.@" => File/Directory not found.
"C:\Users\Administrator\AppData\Local\{b2af2ecf-3da3-4cff-9c47-986a82287549}\U\80000064.@" => File/Directory not found.
"C:\Users\Administrator\AppData\Local\{b2af2ecf-3da3-4cff-9c47-986a82287549}\U\how_decrypt.gif" => File/Directory not found.
"C:\Users\Administrator\AppData\Local\{b2af2ecf-3da3-4cff-9c47-986a82287549}\U\how_decrypt.html" => File/Directory not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B87FF71F-6427-4EEB-91DA-7CA8F0400331}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B87FF71F-6427-4EEB-91DA-7CA8F0400331}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 1747117408" => Key deleted successfully.
C:\Users\Administrator\Desktop\TDSSKiller.eml => ":OECustomProperty" ADS removed successfully.
C:\ProgramData\TEMP => ":D3A96964" ADS removed successfully.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2015-02-01 02:54:47)<=

"C:\windows\SysWOW64\??????" => Directory could not move.

==== End of Fixlog 02:54:47 ====



#9 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:07:08 AM

Posted 02 February 2015 - 02:57 AM

FIRST >>>>
 
We need to take a closer look at one item that could not be deleted yet:

Download the attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..".  The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.  

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show that it is ready to use (meaning there is no update found) and you can continue on.  Press the Fix button just once and wait.  The tool will create a restore point, process the script and ask for a restart of your system.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post the log in your next reply.
 
SECOND >>>>
 

AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.


NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

  • Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:

    AdwScan.jpg?
  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be deleted.
  • When the program has finished cleaning a report appears.
  • Once done it will ask to reboot, allow this

    adwcleaner_delete_restart.jpg
  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[S0].txt

Optional:

NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#10 AviMc

AviMc
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 02 February 2015 - 07:08 AM

I think you forgot to attach.



#11 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:07:08 AM

Posted 03 February 2015 - 01:46 AM

Sorry about that; the Fixlist was just going to search and report on a folder.  It is attached here.

Attached Files


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#12 AviMc

AviMc
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 03 February 2015 - 07:35 AM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 01-02-2015
Ran by Administrator at 2015-02-03 07:22:38 Run:2
Running from C:\Users\Administrator\Desktop
Loaded Profiles: Administrator (Available profiles: Administrator)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
Folder: C:\windows\SysWOW64\??????
end

*****************


========================= Folder: C:\windows\SysWOW64\?????? ========================


====== End of Folder: ======


==== End of Fixlog 07:22:38 ====
# AdwCleaner v4.109 - Report created 03/02/2015 at 07:30:21
# Updated 24/01/2015 by Xplode
# Database : 2015-02-02.1 [Live]
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : Administrator - AVI-PC
# Running from : C:\Users\Administrator\Desktop\downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17496


-\\ Google Chrome v


*************************

AdwCleaner[R0].txt - [7610 octets] - [31/01/2015 02:00:58]
AdwCleaner[R1].txt - [7670 octets] - [31/01/2015 02:09:00]
AdwCleaner[R2].txt - [7730 octets] - [31/01/2015 02:10:55]
AdwCleaner[R3].txt - [996 octets] - [03/02/2015 07:26:57]
AdwCleaner[S0].txt - [7640 octets] - [31/01/2015 02:13:43]
AdwCleaner[S1].txt - [918 octets] - [03/02/2015 07:30:21]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [977 octets] ##########

#13 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:07:08 AM

Posted 03 February 2015 - 10:37 AM

I see you have Malwarebytes Antimalware installed on the system...
Please do a scan and post the log here.

2.0 Threat Scan

  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.

How to get logs:
(Export log to save as txt)

  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Export'.
  • Click 'Text file (*.txt)'
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named 'File Saved' should appear stating "Your file has been successfully exported".
  • Click Ok
  • Attach that saved log to your next reply.

unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#14 AviMc

AviMc
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 03 February 2015 - 03:00 PM

See attached.
Thanks
 

Attached Files



#15 AviMc

AviMc
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 03 February 2015 - 05:35 PM

Is there a way to confirm that the rootkit trojan has been fixed or any other dangerous ones that you saw?  I'm asking because out of so many scanning programs with them all picking up on some things and sometimes not, and since I cannot remember which program had said something about a rootkit, maybe you can show me how to prove to myself that it's been cleared up.  I have to get this computer back to the client and it looks like it's clean now except I still wonder about the rootkit one and the ransomware one or others you saw - or is there still much to do?

 

I'm grateful for the help you've provided on this computer.


Edited by AviMc, 03 February 2015 - 08:31 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users