Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with Win64/patched.az.gen!dll


  • This topic is locked This topic is locked
7 replies to this topic

#1 pssrfid22

pssrfid22

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:13 AM

Posted 09 January 2016 - 05:08 PM

I have run FRST64 as in the directions and have attached both log files as directed.  Need help to obtain the fix.txt please.Attached File  FRST.txt   49.57KB   11 downloadsAttached File  Addition.txt   97.08KB   4 downloads



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:13 AM

Posted 11 January 2016 - 11:44 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove this toolbar in bold via theControl panel > Programs and Features applet.
YTD Toolbar v9.7 (HKLM-x32\...\{6A9A9A9C-ED11-4689-8E5D-B4F272E3537F}) (Version: 9.7 - Spigot, Inc.) <==== ATTENTION
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

() C:\Program Files\amztab\amztab.exe
() C:\Program Files\amztab\packages\116f21aa-dde0-49e8-aee7-6fe44177859f\zetip.exe
HKLM-x32\...\Run: [] => [X]
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
CHR HKU\S-1-5-21-2007134255-2043756329-305207435-1000\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
BHO: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> C:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll => No File
BHO-x32: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> C:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg32.dll => No File
Toolbar: HKLM - No Name - !{82E1477C-B154-48D3-9891-33D83C26BCD3} -  No File
Toolbar: HKLM - No Name - !{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} -  No File
Toolbar: HKLM-x32 - No Name - !{82E1477C-B154-48D3-9891-33D83C26BCD3} -  No File
Toolbar: HKLM-x32 - No Name - !{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} -  No File
Toolbar: HKU\S-1-5-21-2007134255-2043756329-305207435-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg32.dll No File
Handler: WSWSVCUchrome - No CLSID Value
FF Plugin HKU\S-1-5-21-2007134255-2043756329-305207435-1000: @tools.google.com/Google Update;version=3 -> C:\Users\JD\AppData\Local\Google\Update\1.3.28.15\npGoogleUpdate3.dll [No File]
FF Plugin HKU\S-1-5-21-2007134255-2043756329-305207435-1000: @tools.google.com/Google Update;version=9 -> C:\Users\JD\AppData\Local\Google\Update\1.3.28.15\npGoogleUpdate3.dll [No File]
FF Extension: No Name - C:\Users\JD\AppData\Roaming\Mozilla\Firefox\Profiles\587vn4l6.default-1376964433007\extensions\anttoolbar@ant.com [not found]
FF HKLM-x32\...\Firefox\Extensions: [{22C7F6C6-8D67-4534-92B5-529A0EC09405}] - C:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\FirefoxExtension => not found
FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext => not found
CHR Plugin: (Native Client) - C:\Users\JD\AppData\Local\Google\Chrome\Application\46.0.2490.86\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Users\JD\AppData\Local\Google\Chrome\Application\46.0.2490.86\pdf.dll => No File
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll => No File
CHR Plugin: (Shockwave Flash) - C:\windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll => No File
R2 AmazingTab; C:\Program Files\amztab\amztab.exe [383488 2016-01-07] () [File not signed]
S3 CASprint; "C:\Program Files (x86)\Sprint\Sprint SmartView\ConAppsSvc.exe" /n "CASprint" [X]
S3 SprintRcAppSvc; "C:\Program Files (x86)\Sprint\Sprint SmartView\RcAppSvc.exe" /n "SprintRcAppSvc" [X]
S3 WsDrvInst; C:\Program Files (x86)\Wondershare\SafeEraser\DriverInstall.exe [X]
S1 dcbkctkv; \??\C:\windows\system32\drivers\dcbkctkv.sys [X]
S1 nokqpoub; \??\C:\windows\system32\drivers\nokqpoub.sys [X]
S3 PCTINDIS5X64; \??\C:\windows\system32\PCTINDIS5X64.SYS [X]
S3 RimUsb; System32\Drivers\RimUsb_AMD64.sys [X]
CustomCLSID: HKU\S-1-5-21-2007134255-2043756329-305207435-1000_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\JD\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2007134255-2043756329-305207435-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\JD\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2007134255-2043756329-305207435-1000_Classes\CLSID\{38216570-5DB1-45F8-A344-B0C4E252B14B}\InprocServer32 -> C:\Users\JD\AppData\Local\Google\Update\1.3.26.7\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2007134255-2043756329-305207435-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\JD\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2007134255-2043756329-305207435-1000_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\JD\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2007134255-2043756329-305207435-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\JD\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2007134255-2043756329-305207435-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\JD\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2007134255-2043756329-305207435-1000_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\JD\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2007134255-2043756329-305207435-1000_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\JD\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2007134255-2043756329-305207435-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\JD\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll => No File
Task: {460E6FF1-7BD5-401A-89CB-073454A1E4DF} - System32\Tasks\Dopda => C:\PROGRA~1\SHOPPE~2\Goudaq.bat
Task: {4DEB9E15-FC09-4DD3-8796-250B4644830F} - System32\Tasks\IBUpd2 => C:\Users\JD\AppData\Local\BrowserAir\47.0.0.3\updater.exe
Task: {E5B0D726-D509-4AC0-BEC6-AFE0EDB82A7C} - System32\Tasks\AutoKMS => C:\windows\AutoKMS\AutoKMS.exe [2015-09-23] ()
AlternateDataStreams: C:\Windows:nlsPreferences
AlternateDataStreams: C:\windows\system32\Drivers\sdfhgdf.sys:{9b43642a-a8b8-11e5-b23f-782bcbe4aa81}
AlternateDataStreams: C:\windows\system32\Drivers\sdfhgdf.sys:{9b43642b-a8b8-11e5-b23f-782bcbe4aa81}
AlternateDataStreams: C:\ProgramData\TEMP:10C8EAEC
AlternateDataStreams: C:\ProgramData\TEMP:661DFA1C
DNS Servers: Media is not connected to internet.
MSCONFIG\startupreg: AutoKMS => C:\windows\AutoKMS.exe
FirewallRules: [{E7E83F69-2A58-48D4-8B61-E3EE73CC3329}] => (Allow) C:\Users\JD\AppData\Local\Temp\Rar$EX00.049\setup.exe
FirewallRules: [{F96AC2F9-CEAB-4FDD-9887-9D0FFD74A5EB}] => (Allow) C:\Users\JD\AppData\Local\Temp\Rar$EX00.049\setup.exe
FirewallRules: [{87E2A58C-7BA9-4797-BDD2-2AA9C10B3086}] => (Allow) C:\Users\JD\AppData\Local\Temp\Rar$EX00.049\setup.exe
FirewallRules: [{EF6B2F40-D73B-490A-AD65-9DF5896F7CD7}] => (Allow) C:\Users\JD\AppData\Local\Temp\Rar$EX00.049\setup.exe
FirewallRules: [{85865E93-8DB0-4F77-B88F-9498CAAB19E9}] => (Allow) C:\Program Files (x86)\iMesh Applications\iMesh\iMesh.exe
FirewallRules: [{5D141A96-7B10-4693-9E12-563382964FF9}] => (Allow) C:\Program Files (x86)\iMesh Applications\iMesh\iMesh.exe
FirewallRules: [{E27862C7-17E0-4A99-8153-886389B39787}] => (Allow) C:\Program Files (x86)\iMesh Applications\iMesh\iMesh.exe
FirewallRules: [{24916AC9-31AC-42E1-A1BE-47060CDD748B}] => (Allow) C:\Program Files (x86)\iMesh Applications\iMesh\iMesh.exe
C:\Program Files (x86)\iMesh Applications
C:\windows\AutoKMS.exe
C:\windows\AutoKMS
C:\Users\JD\AppData\Local\BrowserAir
C:\PROGRA~1\SHOPPE~2
C:\Program Files\amztab

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===


CHR dev: Chrome dev build detected! <======= ATTENTION
Your copy of Chrome has been compromised

Unless you did this yourself, malware has changed your Chrome version into the Development Build. Among other things this allows malware to install any extension it wants.

Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

===

Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

Before you do Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

If you want to save your passwords as well see here: http://www.intowindows.com/how-to-backup-saved-passwords-in-google-chrome-browser/

Re-install Chrome and the Bookmarks.
<<<>>>

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882


If present remove the old version(s) of Java using the Control Panel > Programs and Features applet.

Java 7 Update 45 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86417045FF}) (Version: 7.0.450 - Oracle)
Java 7 Update 45 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217045FF}) (Version: 7.0.450 - Oracle)
Java™ 6 Update 23 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86416023FF}) (Version: 6.0.230 - Oracle)
Java™ 6 Update 30 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83216030FF}) (Version: 6.0.300 - Oracle)
JavaFX 2.1.1 (HKLM-x32\...\{1111706F-666A-4037-7777-211328764D10}) (Version: 2.1.1 - Oracle Corporation)

Please post the logs and let me know what problem persists.

#3 pssrfid22

pssrfid22
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:13 AM

Posted 11 January 2016 - 12:53 PM

Here are all my logs following your directions.  I also attached a pic[/size]
showing the error message I get when I try to uninstall YTD from the[/size]
programs error.  Still not working?  Should I try everything again.[/size]

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:13 AM

Posted 12 January 2016 - 08:52 AM

I also attached a pic[/size]
showing the error message I get when I try to uninstall YTD from the

The programs was in a \temp folder. If that folder was empty then it's gone.

Leave it alone.

---

I was expecting the Fixlog.txt file that was created when our run the fix.


Did you place the Fixlist.txt file you created in the Same folder as the Farbar tool?
That is on this desktop. (C:\Users\JD\Desktop )

Then all you have to do is run the Farbar tool and click the fix button.
The file will be created.
Please post if for my review.

How is the computer running now?

#5 pssrfid22

pssrfid22
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:13 AM

Posted 12 January 2016 - 11:32 AM

I have attached the fixlog.  I still cannot access the internet as it's being blocked some how.

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:13 AM

Posted 12 January 2016 - 01:35 PM

If you have NOT already power down your Modem, router and computer for one minute do it now.

Restart everyting, if the internet is still not working continue.

Download the MiniToolBox program to a CD or flash drive using a good computer.

Copy the downloaded file to the desktop of the compromised computer and run it.

Post the log for my review.

Please download MiniToolBox to Desktop and run it.

Check mark the following boxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List last 10 Event Viewer log
  • List content of Hosts
  • List IP Configuration
  • List Winsock Entries
  • List Installed Programs
  • List Users, Partitions and Memory size
  • List Devices (problems only)
  • List Minidump Files
  • List Restore Points
  • Click Go and copy/paste the log (Result.txt) into your next post.
  • Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
================

#7 pssrfid22

pssrfid22
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:13 AM

Posted 12 January 2016 - 02:13 PM

powered off and on router with no luck.  Still no internet connection.  attached is the log from the mini toolkit.

Attached Files

  • Attached File  MTB.txt   41.6KB   1 downloads


#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:13 AM

Posted 13 January 2016 - 07:48 AM

Looks like there is a problem with your LAN settings.

I suggest you start a new topic in the Networking forum.
http://www.bleepingcomputer.com/forums/f/21/networking/

Post the MiniToolBox log.
An expert in that field will be able to help you better than I can.
This is not my forte.

I will leave this topic open for 6 days. If you need to return please do.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users